CVE-2018-11784
high-risk
Published 2018-10-04
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.
Do I need to act?
!
82.6% chance of exploitation in next 30 days
EPSS score — higher than 17% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.3/10
Medium
NETWORK
/ LOW complexity
Affected Products (20)
References (78)
Third Party Advisory
http://www.securityfocus.com/bid/105524
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0130
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0131
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0485
and 58 more references
64
/ 100
high-risk
Severity
18/34 · Moderate
Exploitability
20/34 · Moderate
Exposure
26/34 · High