Details
-
Dependency upgrade
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
9.1.0
-
None
-
None
Description
Moderate: Open redirect CVE-2023-41080
If the ROOT (default) web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice.
This was fixed with commit
https://github.com/apache/tomcat/commit/bb4624a9f3e69d495182ebfa68d7983076407a27
This issue was reported to the Tomcat Security Team on 17 August 2023. The issue was made public on 22 August 2023.
Affects: 10.1.0-M1 to 10.1.12