CVE-2018-11784

Summary

When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Tomcat9.0.0.M1 to 9.0.11affected
Apache Software FoundationApache Tomcat8.5.0 to 8.5.33affected
Apache Software FoundationApache Tomcat7.0.23 to 7.0.90affected

Weaknesses

  • Open Redirect

ADP Enrichment

CVE Program Container

Additional References

References