CVE-2023-41080

Description

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, EOL versions may also be affected. The vulnerability is limited to the ROOT (default) web application.

How to fix CVE-2023-41080

To remediate CVE-2023-41080, upgrade the affected package to a fixed version below.

• —upgrade to 8.5.93 or later
• —upgrade to 10.1.6-1+deb12u1 or later
• —upgrade to 9.0.43-2~deb11u7 or later
• —upgrade to 8.5.93 or later
• —upgrade to 11.0.0-M11 or later
• —upgrade to 10.1.13 or later

Is CVE-2023-41080 being exploited?

Moderate — EPSS is 11.6%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (6)

• >= 8.5.0, < 8.5.93, >= 9.0.0, < 9.0.80, >= 10.1.0, < 10.1.13
• from 0, < 10.1.6-1+deb12u1
• from 0, < 9.0.43-2~deb11u7
• >= 8.5.0, < 8.5.93
• >= 11.0.0-M1, < 11.0.0-M11
• >= 10.1.0-M1, < 10.1.13

CVSS scores

References (13)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-41080
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-41080
• PATCHgithub.com/apache/tomcat
• WEBgithub.com/apache/tomcat/commit/4998ad745b67edeadefe541c94ed029b53933d3b