CVE-2023-41080

high-risk
Published 2023-08-25

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, EOL versions may also be affected. The vulnerability is limited to the ROOT (default) web application.

Do I need to act?

!
11.6% chance of exploitation in next 30 days
EPSS score — higher than 88% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10 Medium
NETWORK / LOW complexity

Affected Products (13)

Affected Vendors

Debian Apache

References (6)

Issue Tracking https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f
Issue Tracking https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f
Mailing List https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
Third Party Advisory https://security.netapp.com/advisory/ntap-20230921-0006/
Third Party Advisory https://www.debian.org/security/2023/dsa-5521
Third Party Advisory https://www.debian.org/security/2023/dsa-5522
51
/ 100
high-risk
Severity 23/34 · High
Exploitability 11/34 · Low
Exposure 17/34 · Moderate