When the default servlet returned a redirect to a directory (e.g. redirecting to /foo/ when the user requested /foo) a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.

This was fixed in revision 1840055.

This issue was reported to the Apache Tomcat Security Team by Sergey Bobrov on 28 August 2018 and made public on 3 October 2018.

Affects: 9.0.0.M1 to 9.0.11

CPENameOperatorVersion
apache tomcatge9.0.0.M1
apache tomcatle9.0.11

CPE	Name	Operator	Version
	apache tomcat	ge	9.0.0.M1
	apache tomcat	le	9.0.11

osv 8

oraclelinux 3

ibm 17

nessus 33

kaspersky 1

debian 3

amazon 3

openvas 24

f5 1

redhatcve 1

nuclei 1

prion 1

veracode 2

suse 5

fedora 3

zdt 1

packetstorm 1

cve 1

ubuntu 1

ubuntucve 1

debiancve 1

checkpoint_advisories 1

centos 1

github 2

cisa 1

atlassian 3

redhat 6

tomcat 2

symantec 2

exploitdb 1

rocky 1

almalinux 1

mageia 1

hackerone 1

avleonov 1

oracle 6

osv

CVE-2018-11784

2018-10-04 13:29:00

Apache Tomcat Open Redirect vulnerability

2018-10-17 16:31:02

tomcat8 - security update

2018-10-15 00:00:00

oraclelinux

tomcat security update

2019-03-13 00:00:00

pki-deps:10.6 security update

2019-07-30 00:00:00

tomcat security, bug fix, and enhancement update

2019-08-13 00:00:00

ibm

Security Bulletin: Vulnerability in Apache Tomcat affects IBM Platform Symphony

2021-07-02 02:32:33

Security Bulletin: IBM QRadar SIEM is vulnerable to Apache Tomcat Publicly disclosed vulnerability (CVE-2018-11784)

2019-03-05 18:10:01

Security Bulletin: Security vulnerabilities in Apache Tomcat affect multiple IBM Rational products based on IBM's Jazz technology

2021-04-28 18:35:50

nessus

Oracle Linux 7 : tomcat (ELSA-2019-0485)

2019-03-15 00:00:00

openSUSE Security Update : tomcat (openSUSE-2019-972)

2019-03-27 00:00:00

EulerOS 2.0 SP5 : tomcat (EulerOS-SA-2019-1602)

2019-05-29 00:00:00

kaspersky

KLA11327 SB vulnerability in Apache Tomcat

2018-10-03 00:00:00

debian

[SECURITY] [DLA 1545-1] tomcat8 security update

2018-10-15 16:56:28

[SECURITY] [DLA 1544-1] tomcat7 security update

2018-10-14 20:43:08

[SECURITY] [DSA 4596-1] tomcat8 security update

2019-12-27 22:15:49

amazon

Medium: tomcat

2019-04-04 22:00:00

Medium: tomcat7

2018-11-05 19:35:00

Important: tomcat8

2019-05-16 23:11:00

openvas

Ubuntu: Security Advisory (USN-3787-1)

2018-10-11 00:00:00

CentOS Update for tomcat CESA-2019:0485 centos7

2019-03-21 00:00:00

openSUSE: Security Advisory for tomcat (openSUSE-SU-2018:4042-1)

2018-12-10 00:00:00

K64921482 : Apache Tomcat vulnerability CVE-2018-11784

2018-10-25 00:00:00

redhatcve

CVE-2018-11784

2019-11-02 09:34:32

nuclei

Apache Tomcat - Open Redirect

2021-03-18 16:22:01

prion

Design/Logic Flaw

2018-10-04 13:29:00

veracode

Open Redirection

2018-10-04 09:06:12

Open Redirection

2019-01-15 09:25:50

suse

Security update for tomcat (moderate)

2018-10-25 18:22:29

Security update for tomcat (moderate)

2018-12-08 00:21:25

Security update for virtualbox (important)

2019-01-25 00:00:00

fedora

[SECURITY] Fedora 29 Update: tomcat-9.0.13-1.fc29

2019-02-13 02:48:13

[SECURITY] Fedora 29 Update: tomcat-9.0.21-1.fc29

2019-07-04 02:51:06

[SECURITY] Fedora 28 Update: tomcat-8.5.35-1.fc28

2019-04-03 02:02:31

zdt

Apache Tomcat 9.0.0.M1 - Open Redirect Vulnerability

2021-07-13 00:00:00

packetstorm

Apache Tomcat 9.0.0M1 Open Redirect

2021-07-11 00:00:00

cve

CVE-2018-11784

2018-10-04 13:29:00

ubuntu

Tomcat vulnerability

2018-10-10 00:00:00

ubuntucve

CVE-2018-11784

2018-10-04 00:00:00

debiancve

CVE-2018-11784

2018-10-04 13:29:00

checkpoint_advisories

Apache Tomcat Default Servlet Open Redirect (CVE-2018-11784)

2019-02-19 00:00:00

centos

tomcat security update

2019-03-19 14:33:17

github

Apache Tomcat Open Redirect vulnerability

2018-10-17 16:31:02

Open Redirect

2022-03-18 17:55:07

cisa

Apache Releases Security Updates for Apache Tomcat

2018-10-04 00:00:00

atlassian

Update Tomcat to 8.5.34 to avoid CVE-2018-11784

2018-10-10 09:22:17

Update Tomcat to 8.5.34 to avoid CVE-2018-11784

2018-10-10 09:22:17

Upgrade to Tomcat 8.5.32 necessary

2018-08-01 09:33:53

redhat

(RHSA-2019:0485) Moderate: tomcat security update

2019-03-12 08:24:45

(RHSA-2019:0131) Moderate: Red Hat JBoss Web Server 3.1 Service Pack 6 security and bug fix update

2019-01-22 13:28:13

(RHSA-2018:2868) Important: Red Hat JBoss Web Server 5.0 Service Pack 1 security and bug fix update

2018-10-03 13:41:48

tomcat

Fixed in Apache Tomcat 8.5.34

2018-09-10 00:00:00

Fixed in Apache Tomcat 7.0.91

2018-09-19 00:00:00

symantec

Apache Tomcat CVE-2018-11784 Open Redirection Vulnerability

2018-10-03 00:00:00

Apache Tomcat Vulnerabilities Oct 2018 – Feb 2020

2020-05-12 19:02:01

exploitdb

Apache Tomcat 9.0.0.M1 - Open Redirect

2021-07-13 00:00:00

rocky

pki-deps:10.6 security update

2019-06-18 16:36:21

almalinux

Important: pki-deps:10.6 security update

2019-06-18 16:36:21

mageia

Updated tomcat packages fix security vulnerabilities

2018-12-10 00:20:39

hackerone

U.S. Dept Of Defense: Tomcat examples available for public, Disclosure Apache Tomcat version, Critical/High/Medium CVE

2020-05-14 19:38:44

avleonov

Last Week’s Security news: Exploits for ForgeRock, vSphere, Apache Tomcat, new Print Spooler vuln, Kaseya Patch and REvil, SolarWinds, Schneider Electric, Bulletins

2021-07-19 16:29:00

oracle

Oracle Critical Patch Update Advisory - October 2019

2020-01-22 00:00:00

Oracle Critical Patch Update Advisory - January 2019

2019-01-15 00:00:00

Oracle Critical Patch Update Advisory - April 2019

2019-04-16 00:00:00

Products

Security Intelligence
Non-intrusive assessment
Developers SDK
Windows scanner
Linux scanner
Perimeter control tool
MSSP

Database

Vulnerabilities
Exploits
IOC
Security News
BugBounty
Popular
Wild Exploited
Top Vulnerabilities

Tools

Linux Security Scanner
API integration
Subscriptions
Plugins
Manual Audit

Learn More

Stats
API
Docs
Api-keys
License
Pricing
Glossary
FAQ

Company

Blog
Contacts
About Us
OpenSource
EULA
Brand Guideline
Privacy Policy

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please contact us. Using Vulners services you are accepting Vulners services end-user license agreement

@2024 Vulners Inc

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.83 High

EPSS

Percentile

98.4%

JSON

Related for TOMCAT:1CE79F1FB24CB690F26B87530FB0DBF3