Apache Tomcat Contains an Open Redirect Vulnerability - 20230905003¶
Overview¶
Apache Tomcat contains a URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication.
If the ROOT (default) web application is configured to use FORM authentication, then it is possible that a specially crafted URL could be used to trigger a redirect to a URL of the attackers choice.
What is the vulnerability?¶
CVE-2023-41080 - CVSS v3 Base Score: 6.1
What is vulnerable?¶
The vulnerability affects the following products:
- Apache Tomcat 11.0.0-M1 to 11.0.0-M10
- Apache Tomcat 10.1.0-M1 to 10.1.12
- Apache Tomcat 9.0.0-M1 to 9.0.79
- Apache Tomcat 8.5.0 to 8.5.92
Recommendation¶
The WA SOC recommends administrators apply the mitigations as per vendor instructions to all affected devices within expected timeframe of one month... (refer Patch Management):