Open Redirect Affecting tomcat package, versions <9.0.12-3.8.3


0.0
medium

Snyk CVSS

    Attack Complexity Low
    User Interaction Required
    Scope Changed

    Threat Intelligence

    Exploit Maturity Mature
    EPSS 83.72% (99th percentile)
Expand this section
NVD
4.3 medium
Expand this section
SUSE
6.1 medium
Expand this section
Red Hat
5.3 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-SLES150-TOMCAT-2759123
  • published 14 Apr 2022
  • disclosed 3 Dec 2018

How to fix?

Upgrade SLES:15.0 tomcat to version 9.0.12-3.8.3 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream tomcat package and not the tomcat package as distributed by SLES. See How to fix? for SLES:15.0 relevant fixed versions and status.

When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.