Gregk4Sec

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 11.0.0-M1 through 11.0.18, 10.1.0-M1 through 10.1.52, 9.0.0.M23 through 9.0.115, and 8.5.30 through 8.5.100. Description An open redirect issue exists in Apache Tomcat due to a flaw in the LoadBalancerDrainingValve. This can lead to redirection to untrusted sites. Recommendations Upgrade to version 11.0.20, 10.1.53, or 9.0.116.

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 9.0.83 through 9.0.115 Apache Tomcat versions 10.1.0-M7 through 10.1.52 Apache Tomcat versions 11.0.0-M1 through 11.0.18 Apache Tomcat Native versions 1.1.23 through 1.1.34 Apache Tomcat Native versions 1.2.0 through 1.2.39 Apache Tomcat Native versions 1.3.0 through 1.3.6 Apache Tomcat Native versions 2.0.0 through 2.0.13 Description An issue exists in Apache Tomcat and Apache Tomcat Native where CLIENT CERT authentication does not fail as expected in certain scenarios when soft fail is disabled. Recommendations Upgrade Apache Tomcat to version 11.0.20, 10.1.53, or 9.0.116. Upgrade Apache Tomcat Native to version 1.3.7 or 2.0.14.