HTTP: Apache Tomcat Default Servlet Open Redirect
An open redirect vulnerability has been reported in Apache Tomcat. This is due to insufficient sanitization of crafted URLs. Upon clicking the link, an authenticated user's browser session could be redirected to a malicious site that is designed to impersonate a legitimate website, leading to a spoofing vulnerability.
Extended Description
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.
Affected Products
Netapp snap_creator_framework
Short Name
HTTP:APACHE:TOMCAT-REDIRECT
Severity
Minor
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
Apache CVE-2018-11784 Default Open Redirect Servlet Tomcat
Release Date
11/29/2018
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3590
False Positive
Unknown
Vendors
Redhat
Apache
Oracle
Netapp
Debian
Canonical
CVSS Score
4.3