Apache Tomcat Open Redirect vulnerability

2023-08-2521:30:48

CWE-601

GitHub Advisory Database

github.com

apache tomcat

open redirect

vulnerability

form authentication

untrusted site

root web application

software

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.002 Low

EPSS

Percentile

64.6%

JSON

URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability in FORM authentication feature Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92.

The vulnerability is limited to the ROOT (default) web application.

Affected configurations

Vulners

Node

youtube_embed_projectyoutube_embedRange<11.0.0-M11

embed_pdf_projectembed_pdfRange<10.1.13

youtube_embed_projectyoutube_embedRange<9.0.80

youtube_embed_projectyoutube_embedRange<8.5.93

org.apache.tomcat\Matchtomcat

CPENameOperatorVersion
org.apache.tomcat.embed:tomcat-embed-corelt11.0.0-M11
org.apache.tomcat.embed:tomcat-embed-corelt10.1.13
org.apache.tomcat.embed:tomcat-embed-corelt9.0.80
org.apache.tomcat.embed:tomcat-embed-corelt8.5.93
org.apache.tomcat:tomcatlt8.5.93
org.apache.tomcat:tomcatlt9.0.80
org.apache.tomcat:tomcatlt10.1.13
org.apache.tomcat:tomcatlt11.0.0-M11

Name	Operator	Version
org.apache.tomcat.embed:tomcat-embed-core	lt	11.0.0-M11
org.apache.tomcat.embed:tomcat-embed-core	lt	10.1.13
org.apache.tomcat.embed:tomcat-embed-core	lt	9.0.80
org.apache.tomcat.embed:tomcat-embed-core	lt	8.5.93
org.apache.tomcat:tomcat	lt	8.5.93
org.apache.tomcat:tomcat	lt	9.0.80
org.apache.tomcat:tomcat	lt	10.1.13
org.apache.tomcat:tomcat	lt	11.0.0-M11