CVE-2018-11784 Apache Tomcat - Open Redirect
Vendor: The Apache Software Foundation
Apache Tomcat 9.0.0.M1 to 9.0.11
Apache Tomcat 8.5.0 to 8.5.33
Apache Tomcat 7.0.23 to 7.0.90
The unsupported 8.0.x release line has not been analysed but is likely
to be affected.
When the default servlet returned a redirect to a directory (e.g.
redirecting to '/foo/' when the user requested '/foo') a specially
crafted URL could be used to cause the redirect to be generated to any
URI of the attackers choice.
Users of the affected versions should apply one of the following
- Upgrade to Apache Tomcat 9.0.12 or later.
- Upgrade to Apache Tomcat 8.5.34 or later.
- Upgrade to Apache Tomcat 7.0.91 or later.
- Use mapperDirectoryRedirectEnabled="true" and
mapperContextRootRedirectEnabled="true" on the Context to ensure that
redirects are issued by the Mapper rather than the default Servlet.
See the Context configuration documentation for further important
This vulnerability was found by Sergey Bobrov and reported responsibly
to the Apache Tomcat Security Team.
2018-10-03 Original advisory