Bug 2235370 (CVE-2023-41080) - CVE-2023-41080 tomcat: Open Redirect vulnerability in FORM authentication
Summary: CVE-2023-41080 tomcat: Open Redirect vulnerability in FORM authentication
Keywords:
Status: NEW
Alias: CVE-2023-41080
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2235375 2235376 2235377 2235378 2235379 2235380 2235381 2235382 2235633 2236174 2236175
Blocks: 2235371
TreeView+ depends on / blocked
 
Reported: 2023-08-28 15:22 UTC by Marian Rehak
Modified: 2024-04-30 23:00 UTC (History)
73 users (show)

Fixed In Version: tomcat 11.0.0-M11, tomcat 10.1.13, tomcat 9.0.80, tomcat 8.5.93
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Tomcat if the default web application is configured with FormAuthenticator. This issue allows a specially crafted URL to trigger a redirect to an arbitrary URL.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:5946 0 None None None 2023-10-19 19:09:45 UTC
Red Hat Product Errata RHSA-2023:7622 0 None None None 2023-12-07 12:18:18 UTC
Red Hat Product Errata RHSA-2023:7623 0 None None None 2023-12-07 12:37:31 UTC
Red Hat Product Errata RHSA-2023:7678 0 None None None 2023-12-06 23:30:53 UTC
Red Hat Product Errata RHSA-2024:0125 0 None None None 2024-01-10 11:27:26 UTC
Red Hat Product Errata RHSA-2024:0474 0 None None None 2024-01-24 16:31:42 UTC
Red Hat Product Errata RHSA-2024:1324 0 None None None 2024-03-18 14:52:56 UTC
Red Hat Product Errata RHSA-2024:1325 0 None None None 2024-03-18 14:53:40 UTC

Description Marian Rehak 2023-08-28 15:22:14 UTC 
If the ROOT (default) web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice.

https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f
https://github.com/advisories/GHSA-q3mw-pvr8-9ggc
Comment 2 TEJ RATHI 2023-08-29 09:35:43 UTC 
Versions Affected:
Tomcat 11.0.0-M1 to 11.0.0-M10
Tomcat 10.1.0-M1 to 10.1.12
Tomcat 9.0.0-M1 to 9.0.79
Tomcat 8.5.0 to 8.5.92

Upstream Commits:
https://github.com/apache/tomcat/commit/4998ad745b67edeadefe541c94ed029b53933d3b (8.5.93)
https://github.com/apache/tomcat/commit/77c0ce2d169efa248b64b992e547aad549ec906b (9.0.80)
https://github.com/apache/tomcat/commit/bb4624a9f3e69d495182ebfa68d7983076407a27 (10.1.13)
https://github.com/apache/tomcat/commit/e3703c9abb8fe0d5602f6ba8a8f11d4b6940815a (11.0.0-M11)
Comment 4 TEJ RATHI 2023-08-30 14:15:54 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-37 [bug 2236174]
Affects: fedora-38 [bug 2236175]
Comment 9 Ben 2023-10-12 09:57:02 UTC 
This bug also affects the Tomcat 9.0.62 for RHEL 8 and RHEL 9 (NOTE: _NOT_ the JBoss Tomcat, the one available to anyone running plain old RHEL 8 or 9).
Comment 10 errata-xmlrpc 2023-10-19 19:09:39 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss AMQ

Via RHSA-2023:5946 https://access.redhat.com/errata/RHSA-2023:5946
Comment 11 errata-xmlrpc 2023-12-06 23:30:48 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.6.0

Via RHSA-2023:7678 https://access.redhat.com/errata/RHSA-2023:7678
Comment 12 errata-xmlrpc 2023-12-07 12:18:12 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.7 on RHEL 7
  Red Hat JBoss Web Server 5.7 on RHEL 8
  Red Hat JBoss Web Server 5.7 on RHEL 9

Via RHSA-2023:7622 https://access.redhat.com/errata/RHSA-2023:7622
Comment 13 errata-xmlrpc 2023-12-07 12:37:26 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2023:7623 https://access.redhat.com/errata/RHSA-2023:7623
Comment 14 errata-xmlrpc 2024-01-10 11:27:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0125 https://access.redhat.com/errata/RHSA-2024:0125
Comment 15 errata-xmlrpc 2024-01-24 16:31:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:0474 https://access.redhat.com/errata/RHSA-2024:0474
Comment 19 errata-xmlrpc 2024-03-18 14:52:52 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 6.0 on RHEL 8
  Red Hat JBoss Web Server 6.0 on RHEL 9

Via RHSA-2024:1324 https://access.redhat.com/errata/RHSA-2024:1324
Comment 20 errata-xmlrpc 2024-03-18 14:53:36 UTC 
This issue has been addressed in the following products:

  JWS 6.0.1

Via RHSA-2024:1325 https://access.redhat.com/errata/RHSA-2024:1325
Note You need to log in before you can comment on or make changes to this bug.