CVE-2023-41080

MEDIUM

Apache Tomcat <11.0.0-M10 - Open Redirect

Title source: llm

Description

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, EOL versions may also be affected. The vulnerability is limited to the ROOT (default) web application.

Exploits (1)

nomisec WORKING POC 11 stars

by shiomiyan · poc

https://github.com/shiomiyan/CVE-2023-41080

View Code ZIP pw:eip

References (5)

[Issue Tracking, Patch, Vendor Advisory] https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20230921-0006/

[Third Party Advisory] https://www.debian.org/security/2023/dsa-5521

[Third Party Advisory] https://www.debian.org/security/2023/dsa-5522

Scores

CVSS v3 6.1

EPSS 0.1159

EPSS Percentile 93.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-601

Status published

Products (6)

apache/tomcat 11.0.0 milestone1 (10 CPE variants)

apache/tomcat 8.5.0 - 8.5.92

debian/debian_linux 10.0

debian/debian_linux 11.0

org.apache.tomcat/tomcat 11.0.0-M1 - 11.0.0-M11Maven

org.apache.tomcat.embed/tomcat-embed-core 8.5.0 - 8.5.93Maven

Published Aug 25, 2023

Tracked Since Feb 18, 2026