If the ROOT (default) web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice. https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f https://github.com/advisories/GHSA-q3mw-pvr8-9ggc
Versions Affected: Tomcat 11.0.0-M1 to 11.0.0-M10 Tomcat 10.1.0-M1 to 10.1.12 Tomcat 9.0.0-M1 to 9.0.79 Tomcat 8.5.0 to 8.5.92 Upstream Commits: https://github.com/apache/tomcat/commit/4998ad745b67edeadefe541c94ed029b53933d3b (8.5.93) https://github.com/apache/tomcat/commit/77c0ce2d169efa248b64b992e547aad549ec906b (9.0.80) https://github.com/apache/tomcat/commit/bb4624a9f3e69d495182ebfa68d7983076407a27 (10.1.13) https://github.com/apache/tomcat/commit/e3703c9abb8fe0d5602f6ba8a8f11d4b6940815a (11.0.0-M11)
Created tomcat tracking bugs for this issue: Affects: fedora-37 [bug 2236174] Affects: fedora-38 [bug 2236175]
This bug also affects the Tomcat 9.0.62 for RHEL 8 and RHEL 9 (NOTE: _NOT_ the JBoss Tomcat, the one available to anyone running plain old RHEL 8 or 9).
This issue has been addressed in the following products: Red Hat JBoss AMQ Via RHSA-2023:5946 https://access.redhat.com/errata/RHSA-2023:5946
This issue has been addressed in the following products: Red Hat AMQ Streams 2.6.0 Via RHSA-2023:7678 https://access.redhat.com/errata/RHSA-2023:7678
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.7 on RHEL 7 Red Hat JBoss Web Server 5.7 on RHEL 8 Red Hat JBoss Web Server 5.7 on RHEL 9 Via RHSA-2023:7622 https://access.redhat.com/errata/RHSA-2023:7622
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2023:7623 https://access.redhat.com/errata/RHSA-2023:7623
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0125 https://access.redhat.com/errata/RHSA-2024:0125
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:0474 https://access.redhat.com/errata/RHSA-2024:0474
This issue has been addressed in the following products: Red Hat JBoss Web Server 6.0 on RHEL 8 Red Hat JBoss Web Server 6.0 on RHEL 9 Via RHSA-2024:1324 https://access.redhat.com/errata/RHSA-2024:1324
This issue has been addressed in the following products: JWS 6.0.1 Via RHSA-2024:1325 https://access.redhat.com/errata/RHSA-2024:1325