CVE-2023-41080

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 8.5.0 through 8.5.92 Apache Tomcat versions 9.0.0-M1 through 9.0.79 Apache Tomcat versions 10.1.0-M1 through 10.0.12 Apache Tomcat versions 11.0.0-M1 through 11.0.0-M10

Description The issue is related to a URL redirection vulnerability in the FORM authentication feature of Apache Tomcat, which can allow a remote attacker to redirect users to an arbitrary URL. This vulnerability is limited to the ROOT (default) web application. If the ROOT web application is configured to use FORM authentication, a specially crafted URL could be used to trigger a redirect to an URL of the attacker's choice.

Recommendations For Apache Tomcat versions 8.5.0 through 8.5.92, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 9.0.0-M1 through 9.0.79, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 10.1.0-M1 through 10.0.12, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 11.0.0-M1 through 11.0.0-M10, update to a version outside of this range to resolve the issue. As a temporary workaround, consider disabling the FORM authentication feature in the ROOT web application until a patch is available.