Bug 2235370 (CVE-2023-41080)

Summary: CVE-2023-41080 tomcat: Open Redirect vulnerability in FORM authentication
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adupliak, aileenc, alampare, alazarot, anstephe, asoldano, ataylor, avibelli, bbaranow, ben.argyle, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, chfoley, cmiranda, csutherl, darran.lofthouse, dhanak, dkreling, dosoudil, drichtar, emingora, fjuma, fmariani, gjospin, gmalinko, ibek, ivassile, iweiss, janstey, jclere, jpoth, jrokos, jscholz, kverlaen, lbacciot, lgao, lthon, mmadzin, mnovotny, mosmerov, msochure, mstefank, msvehla, nwallace, owatkins, pcongius, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, pskopek, rguimara, rhcs-maint, rkieley, rowaters, rruss, rstancel, saroy, sdawley, smaestri, sthorger, swoodman, szappis, tcunning, tom.jenkinson, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 11.0.0-M11, tomcat 10.1.13, tomcat 9.0.80, tomcat 8.5.93 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Tomcat if the default web application is configured with FormAuthenticator. This issue allows a specially crafted URL to trigger a redirect to an arbitrary URL.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2235375, 2235376, 2235377, 2235378, 2235379, 2235380, 2235381, 2235382, 2235633, 2236174, 2236175    
Bug Blocks: 2235371    

Description Marian Rehak 2023-08-28 15:22:14 UTC 
If the ROOT (default) web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice.

https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f
https://github.com/advisories/GHSA-q3mw-pvr8-9ggc
Comment 2 TEJ RATHI 2023-08-29 09:35:43 UTC 
Versions Affected:
Tomcat 11.0.0-M1 to 11.0.0-M10
Tomcat 10.1.0-M1 to 10.1.12
Tomcat 9.0.0-M1 to 9.0.79
Tomcat 8.5.0 to 8.5.92

Upstream Commits:
https://github.com/apache/tomcat/commit/4998ad745b67edeadefe541c94ed029b53933d3b (8.5.93)
https://github.com/apache/tomcat/commit/77c0ce2d169efa248b64b992e547aad549ec906b (9.0.80)
https://github.com/apache/tomcat/commit/bb4624a9f3e69d495182ebfa68d7983076407a27 (10.1.13)
https://github.com/apache/tomcat/commit/e3703c9abb8fe0d5602f6ba8a8f11d4b6940815a (11.0.0-M11)
Comment 4 TEJ RATHI 2023-08-30 14:15:54 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-37 [bug 2236174]
Affects: fedora-38 [bug 2236175]
Comment 9 Ben 2023-10-12 09:57:02 UTC 
This bug also affects the Tomcat 9.0.62 for RHEL 8 and RHEL 9 (NOTE: _NOT_ the JBoss Tomcat, the one available to anyone running plain old RHEL 8 or 9).
Comment 10 errata-xmlrpc 2023-10-19 19:09:39 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss AMQ

Via RHSA-2023:5946 https://access.redhat.com/errata/RHSA-2023:5946
Comment 11 errata-xmlrpc 2023-12-06 23:30:48 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.6.0

Via RHSA-2023:7678 https://access.redhat.com/errata/RHSA-2023:7678
Comment 12 errata-xmlrpc 2023-12-07 12:18:12 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.7 on RHEL 7
  Red Hat JBoss Web Server 5.7 on RHEL 8
  Red Hat JBoss Web Server 5.7 on RHEL 9

Via RHSA-2023:7622 https://access.redhat.com/errata/RHSA-2023:7622
Comment 13 errata-xmlrpc 2023-12-07 12:37:26 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2023:7623 https://access.redhat.com/errata/RHSA-2023:7623
Comment 14 errata-xmlrpc 2024-01-10 11:27:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0125 https://access.redhat.com/errata/RHSA-2024:0125
Comment 15 errata-xmlrpc 2024-01-24 16:31:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:0474 https://access.redhat.com/errata/RHSA-2024:0474
Comment 19 errata-xmlrpc 2024-03-18 14:52:52 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 6.0 on RHEL 8
  Red Hat JBoss Web Server 6.0 on RHEL 9

Via RHSA-2024:1324 https://access.redhat.com/errata/RHSA-2024:1324
Comment 20 errata-xmlrpc 2024-03-18 14:53:36 UTC 
This issue has been addressed in the following products:

  JWS 6.0.1

Via RHSA-2024:1325 https://access.redhat.com/errata/RHSA-2024:1325