A flaw was found in Apache tomcat. When the default servlet returned a redirect to a directory (e.g. redirecting to /foo/ when the user requested /foo) a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. References: https://lists.apache.org/thread.html/23134c9b5a23892a205dc140cdd8c9c0add233600f76b313dda6bd75@%3Cannounce.tomcat.apache.org%3E
Created tomcat tracking bugs for this issue: Affects: epel-all [bug 1636514] Affects: fedora-all [bug 1636513]
External References: http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.12 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.34 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.91
Upstream commit: http://svn.apache.org/viewvc?view=revision&revision=1840055 9.0.x http://svn.apache.org/viewvc?view=revision&revision=1840056 8.5.x http://svn.apache.org/viewvc?view=revision&revision=1840057 7.0.x
This vulnerability does not affect Tomcat 6.0.24 as Response.sendRedirect() always sends an absolute URL. Vulnerable versions of Tomcat may not be exploitable under either the following conditions: - if org.apache.catalina.STRICT_SERVLET_COMPLIANCE set to true - if org.apache.catalina.servlets.DefaultServlet is either: - not deployed at all - only deployed with Context attribute useRelativeRedirects set to false - only deploted with both Context attributes mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled are set to false
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2019:0130 https://access.redhat.com/errata/RHSA-2019:0130
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 6 Red Hat JBoss Web Server 3 for RHEL 7 Via RHSA-2019:0131 https://access.redhat.com/errata/RHSA-2019:0131
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:0485 https://access.redhat.com/errata/RHSA-2019:0485
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Data Grid 6 * Red Hat JBoss Data Virtualization & Services 6 * Red Hat JBoss Fuse 6 * Red Hat JBoss Fuse Service Works 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1529 https://access.redhat.com/errata/RHSA-2019:1529