In some situations, it is possible to have open redirects where users can be redirected from your site to any other site using a specially crafted URL.
This is only the case for installations where the default Hostname Identification is used and the environment uses tenants that have force_https set to true (default: false)

Patches

Version 5.7.2 contains the relevant patches to fix this bug. Stripping the URL from special characters to prevent specially crafted URL’s from being redirected to.

Workarounds

There is a simple way to work around the security issue

Set the force_https to every tenant to false

References

https://nvd.nist.gov/vuln/detail/CVE-2018-11784

For more information

If you have any questions or comments about this advisory:

CPENameOperatorVersion
hyn/multi-tenanteq5.6.0
hyn/multi-tenanteq5.6.4
hyn/multi-tenanteq5.7.1
hyn/multi-tenanteq5.6.1
hyn/multi-tenanteq5.6.3
hyn/multi-tenanteq5.7.0
hyn/multi-tenanteq5.6.2

Name	Operator	Version
hyn/multi-tenant	eq	5.6.0
hyn/multi-tenant	eq	5.6.4
hyn/multi-tenant	eq	5.7.1
hyn/multi-tenant	eq	5.6.1
hyn/multi-tenant	eq	5.6.3
hyn/multi-tenant	eq	5.7.0
hyn/multi-tenant	eq	5.6.2

References

github.com/tenancy/multi-tenant/commit/9c837a21bccce9bcaeb90033ef200d84f0d9e164

github.com/tenancy/multi-tenant/security/advisories/GHSA-4r8q-gv9j-3xx6

nvd.nist.gov/vuln/detail/CVE-2021-32645

packagist.org/packages/hyn/multi-tenant

webmasters.googleblog.com/2009/01/open-redirect-urls-is-your-site-being.html

github 2

cve 2

veracode 3

osv 8

cvelist 2

nvd 2

prion 2

openvas 24

nessus 35

centos 1

checkpoint_advisories 1

ibm 17

debian 3

redhatcve 1

nuclei 1

f5 1

suse 5

amazon 3

fedora 3

ubuntucve 1

packetstorm 1

zdt 1

ubuntu 1

debiancve 1

atlassian 3

cisa 1

redhat 6

tomcat 3

symantec 2

oraclelinux 3

kaspersky 1

exploitdb 1

almalinux 1

mageia 1

rocky 1

hackerone 1

avleonov 1

oracle 6

github

Open Redirect

2022-03-18 17:55:07

Apache Tomcat Open Redirect vulnerability

2018-10-17 16:31:02

cve

CVE-2021-32645

2021-05-27 17:15:08

CVE-2018-11784

2018-10-04 13:29:00

veracode

Open Redirection

2021-05-28 05:56:54

Open Redirection

2019-01-15 09:25:50

Open Redirection

2018-10-04 09:06:12

osv

CVE-2021-32645

2021-05-27 17:15:08

Apache Tomcat Open Redirect vulnerability

2018-10-17 16:31:02

tomcat7 - security update

2018-10-14 00:00:00

cvelist

CVE-2021-32645 Open Redirect in tenancy

2021-05-27 16:50:11

CVE-2018-11784

2018-10-03 00:00:00

nvd

CVE-2021-32645

2021-05-27 17:15:08

CVE-2018-11784

2018-10-04 13:29:00

prion

Open redirect

2021-05-27 17:15:00

Design/Logic Flaw

2018-10-04 13:29:00

openvas

Apache Tomcat Open Redirect Vulnerability - Windows

2018-10-05 00:00:00

Debian: Security Advisory (DLA-1545-1)

2018-10-15 00:00:00

openSUSE: Security Advisory for tomcat (openSUSE-SU-2018:3453-1)

2018-10-26 00:00:00

nessus

Apache Tomcat 7.0.23 < 7.0.91

2018-10-10 00:00:00

Amazon Linux AMI : tomcat7 (ALAS-2018-1099)

2018-11-08 00:00:00

openSUSE Security Update : tomcat (openSUSE-2018-1504)

2018-12-10 00:00:00

centos

tomcat security update

2019-03-19 14:33:17

checkpoint_advisories

Apache Tomcat Default Servlet Open Redirect (CVE-2018-11784)

2019-02-19 00:00:00

ibm

Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2018-11784)

2019-03-27 12:55:02

Security Bulletin: Security vulnerabilities in Apache Tomcat affect multiple IBM Rational products based on IBM's Jazz technology

2021-04-28 18:35:50

Security Bulletin: Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( CVE-2018-11784)

2023-03-29 01:48:02

debian

[SECURITY] [DLA 1544-1] tomcat7 security update

2018-10-14 20:43:08

[SECURITY] [DLA 1545-1] tomcat8 security update

2018-10-15 16:56:28

[SECURITY] [DSA 4596-1] tomcat8 security update

2019-12-27 22:15:49

redhatcve

CVE-2018-11784

2019-11-02 09:34:32

nuclei

Apache Tomcat - Open Redirect

2021-03-18 16:22:01

K64921482 : Apache Tomcat vulnerability CVE-2018-11784

2018-10-25 00:00:00

suse

Security update for tomcat (moderate)

2018-10-25 18:22:29

Security update for tomcat (moderate)

2018-12-08 00:21:25

Security update for virtualbox (important)

2019-01-25 00:00:00

amazon

Medium: tomcat7

2018-11-05 19:35:00

Medium: tomcat

2019-04-04 22:00:00

Important: tomcat8

2019-05-16 23:11:00

fedora

[SECURITY] Fedora 29 Update: tomcat-9.0.13-1.fc29

2019-02-13 02:48:13

[SECURITY] Fedora 29 Update: tomcat-9.0.21-1.fc29

2019-07-04 02:51:06

[SECURITY] Fedora 28 Update: tomcat-8.5.35-1.fc28

2019-04-03 02:02:31

ubuntucve

CVE-2018-11784

2018-10-04 00:00:00

packetstorm

Apache Tomcat 9.0.0M1 Open Redirect

2021-07-11 00:00:00

zdt

Apache Tomcat 9.0.0.M1 - Open Redirect Vulnerability

2021-07-13 00:00:00

ubuntu

Tomcat vulnerability

2018-10-10 00:00:00

debiancve

CVE-2018-11784

2018-10-04 13:29:00

atlassian

Update Tomcat to 8.5.34 to avoid CVE-2018-11784

2018-10-10 09:22:17

Update Tomcat to 8.5.34 to avoid CVE-2018-11784

2018-10-10 09:22:17

Upgrade to Tomcat 8.5.32 necessary

2018-08-01 09:33:53

cisa

Apache Releases Security Updates for Apache Tomcat

2018-10-04 00:00:00

redhat

(RHSA-2019:0485) Moderate: tomcat security update

2019-03-12 08:24:45

(RHSA-2018:2868) Important: Red Hat JBoss Web Server 5.0 Service Pack 1 security and bug fix update

2018-10-03 13:41:48

(RHSA-2019:0131) Moderate: Red Hat JBoss Web Server 3.1 Service Pack 6 security and bug fix update

2019-01-22 13:28:13

tomcat

Fixed in Apache Tomcat 7.0.91

2018-09-19 00:00:00

Fixed in Apache Tomcat 9.0.12

2018-09-10 00:00:00

Fixed in Apache Tomcat 8.5.34

2018-09-10 00:00:00

symantec

Apache Tomcat CVE-2018-11784 Open Redirection Vulnerability

2018-10-03 00:00:00

Apache Tomcat Vulnerabilities Oct 2018 – Feb 2020

2020-05-12 19:02:01

oraclelinux

tomcat security update

2019-03-13 00:00:00

pki-deps:10.6 security update

2019-07-30 00:00:00

tomcat security, bug fix, and enhancement update

2019-08-13 00:00:00

kaspersky

KLA11327 SB vulnerability in Apache Tomcat

2018-10-03 00:00:00

exploitdb

Apache Tomcat 9.0.0.M1 - Open Redirect

2021-07-13 00:00:00

almalinux

Important: pki-deps:10.6 security update

2019-06-18 16:36:21

mageia

Updated tomcat packages fix security vulnerabilities

2018-12-10 00:20:39

rocky

pki-deps:10.6 security update

2019-06-18 16:36:21

hackerone

U.S. Dept Of Defense: Tomcat examples available for public, Disclosure Apache Tomcat version, Critical/High/Medium CVE

2020-05-14 19:38:44

avleonov

Last Week’s Security news: Exploits for ForgeRock, vSphere, Apache Tomcat, new Print Spooler vuln, Kaseya Patch and REvil, SolarWinds, Schneider Electric, Bulletins

2021-07-19 16:29:00

oracle

Oracle Critical Patch Update Advisory - January 2019

2019-01-15 00:00:00

Oracle Critical Patch Update Advisory - October 2019

2020-01-22 00:00:00

Oracle Critical Patch Update Advisory - April 2019

2019-04-16 00:00:00

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

0.791 High

EPSS

Percentile

98.3%

JSON

Related for OSV:GHSA-4R8Q-GV9J-3XX6