URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, EOL versions may also be affected. The vulnerability is limited to the ROOT (default) web application.
2023-08-25T21:15:09.397
2025-08-07T11:15:27.510
Modified
CVSSv3.1: 6.1 (MEDIUM)
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | apache | tomcat | ≤ 8.5.92 | Yes |
| Application | apache | tomcat | ≤ 9.0.79 | Yes |
| Application | apache | tomcat | ≤ 10.1.12 | Yes |
| Application | apache | tomcat | 11.0.0 | Yes |
| Application | apache | tomcat | 11.0.0 | Yes |
| Application | apache | tomcat | 11.0.0 | Yes |
| Application | apache | tomcat | 11.0.0 | Yes |
| Application | apache | tomcat | 11.0.0 | Yes |
| Application | apache | tomcat | 11.0.0 | Yes |
| Application | apache | tomcat | 11.0.0 | Yes |
| Application | apache | tomcat | 11.0.0 | Yes |
| Application | apache | tomcat | 11.0.0 | Yes |
| Application | apache | tomcat | 11.0.0 | Yes |
| Operating System | debian | debian_linux | 10.0 | Yes |
| Operating System | debian | debian_linux | 11.0 | Yes |