ID CVE-2018-11784
Summary When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.51:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.51:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.58:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.58:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.60:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.60:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.66:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.66:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.70:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.70:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.71:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.71:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.72:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.72:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.73:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.73:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.74:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.74:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.75:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.75:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.76:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.76:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.77:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.77:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.78:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.78:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.79:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.79:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.80:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.80:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.81:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.81:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.82:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.82:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.83:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.83:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.84:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.84:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.85:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.85:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.86:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.86:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.87:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.87:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.88:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.88:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.89:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.89:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.90:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.90:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.7:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.8:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.9:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.9:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.10:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.10:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.11:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.11:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.12:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.12:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.13:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.13:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.14:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.14:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.15:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.15:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.16:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.16:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.17:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.17:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.18:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.18:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.19:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.19:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.20:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.20:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.21:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.21:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.22:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.22:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.23:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.23:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.24:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.24:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.25:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.25:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.26:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.26:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.27:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.27:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.28:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.28:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.29:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.29:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.30:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.30:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.31:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.31:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.32:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.32:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.33:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.33:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m1:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m1:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m10:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m10:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m11:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m11:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m12:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m12:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m13:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m13:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m14:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m14:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m15:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m15:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m16:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m16:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m17:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m17:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m18:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m18:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m19:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m19:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m2:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m2:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m20:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m20:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m21:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m21:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m22:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m22:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m23:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m23:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m24:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m24:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m25:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m25:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m26:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m26:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m27:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m27:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m3:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m3:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m4:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m4:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m5:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m5:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m6:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m6:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m7:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m7:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m8:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m8:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:m9:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:m9:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.9:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.10:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.10:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.11:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.11:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  • cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server:7.6:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server:7.6:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_application_session_controller:3.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_application_session_controller:3.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_application_session_controller:3.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_application_session_controller:3.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_order_broker:5.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_order_broker:5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_order_broker:5.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_order_broker:5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:secure_global_desktop:5.4:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:secure_global_desktop:5.4:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 11-06-2019 - 22:29)
Impact:
Exploitability:
CWE CWE-601
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:P/A:N
redhat via4
advisories
  • bugzilla
    id 1636512
    title CVE-2018-11784 tomcat: Open redirect in default servlet
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 7 is installed
        oval oval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • comment tomcat is earlier than 0:7.0.76-9.el7_6
            oval oval:com.redhat.rhsa:tst:20190485001
          • comment tomcat is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20140686002
        • AND
          • comment tomcat-admin-webapps is earlier than 0:7.0.76-9.el7_6
            oval oval:com.redhat.rhsa:tst:20190485003
          • comment tomcat-admin-webapps is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20140686004
        • AND
          • comment tomcat-docs-webapp is earlier than 0:7.0.76-9.el7_6
            oval oval:com.redhat.rhsa:tst:20190485005
          • comment tomcat-docs-webapp is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20140686006
        • AND
          • comment tomcat-el-2.2-api is earlier than 0:7.0.76-9.el7_6
            oval oval:com.redhat.rhsa:tst:20190485007
          • comment tomcat-el-2.2-api is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20140686008
        • AND
          • comment tomcat-javadoc is earlier than 0:7.0.76-9.el7_6
            oval oval:com.redhat.rhsa:tst:20190485009
          • comment tomcat-javadoc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20140686010
        • AND
          • comment tomcat-jsp-2.2-api is earlier than 0:7.0.76-9.el7_6
            oval oval:com.redhat.rhsa:tst:20190485011
          • comment tomcat-jsp-2.2-api is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20140686012
        • AND
          • comment tomcat-jsvc is earlier than 0:7.0.76-9.el7_6
            oval oval:com.redhat.rhsa:tst:20190485013
          • comment tomcat-jsvc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20140686014
        • AND
          • comment tomcat-lib is earlier than 0:7.0.76-9.el7_6
            oval oval:com.redhat.rhsa:tst:20190485015
          • comment tomcat-lib is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20140686016
        • AND
          • comment tomcat-servlet-3.0-api is earlier than 0:7.0.76-9.el7_6
            oval oval:com.redhat.rhsa:tst:20190485017
          • comment tomcat-servlet-3.0-api is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20140686018
        • AND
          • comment tomcat-webapps is earlier than 0:7.0.76-9.el7_6
            oval oval:com.redhat.rhsa:tst:20190485019
          • comment tomcat-webapps is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20140686020
    rhsa
    id RHSA-2019:0485
    released 2019-03-13
    severity Moderate
    title RHSA-2019:0485: tomcat security update (Moderate)
  • rhsa
    id RHSA-2019:0130
  • rhsa
    id RHSA-2019:0131
  • rhsa
    id RHSA-2019:1529
rpms
  • jws5-tomcat-0:9.0.7-12.redhat_12.1.el6jws
  • jws5-tomcat-0:9.0.7-12.redhat_12.1.el7jws
  • jws5-tomcat-admin-webapps-0:9.0.7-12.redhat_12.1.el6jws
  • jws5-tomcat-admin-webapps-0:9.0.7-12.redhat_12.1.el7jws
  • jws5-tomcat-docs-webapp-0:9.0.7-12.redhat_12.1.el6jws
  • jws5-tomcat-docs-webapp-0:9.0.7-12.redhat_12.1.el7jws
  • jws5-tomcat-el-3.0-api-0:9.0.7-12.redhat_12.1.el6jws
  • jws5-tomcat-el-3.0-api-0:9.0.7-12.redhat_12.1.el7jws
  • jws5-tomcat-javadoc-0:9.0.7-12.redhat_12.1.el6jws
  • jws5-tomcat-javadoc-0:9.0.7-12.redhat_12.1.el7jws
  • jws5-tomcat-jsp-2.3-api-0:9.0.7-12.redhat_12.1.el6jws
  • jws5-tomcat-jsp-2.3-api-0:9.0.7-12.redhat_12.1.el7jws
  • jws5-tomcat-jsvc-0:9.0.7-12.redhat_12.1.el6jws
  • jws5-tomcat-jsvc-0:9.0.7-12.redhat_12.1.el7jws
  • jws5-tomcat-lib-0:9.0.7-12.redhat_12.1.el6jws
  • jws5-tomcat-lib-0:9.0.7-12.redhat_12.1.el7jws
  • jws5-tomcat-selinux-0:9.0.7-12.redhat_12.1.el6jws
  • jws5-tomcat-selinux-0:9.0.7-12.redhat_12.1.el7jws
  • jws5-tomcat-servlet-4.0-api-0:9.0.7-12.redhat_12.1.el6jws
  • jws5-tomcat-servlet-4.0-api-0:9.0.7-12.redhat_12.1.el7jws
  • jws5-tomcat-webapps-0:9.0.7-12.redhat_12.1.el6jws
  • jws5-tomcat-webapps-0:9.0.7-12.redhat_12.1.el7jws
  • tomcat-native-0:1.2.17-18.redhat_18.ep7.el6
  • tomcat-native-0:1.2.17-18.redhat_18.ep7.el7
  • tomcat-native-debuginfo-0:1.2.17-18.redhat_18.ep7.el6
  • tomcat-native-debuginfo-0:1.2.17-18.redhat_18.ep7.el7
  • tomcat7-0:7.0.70-31.ep7.el6
  • tomcat7-0:7.0.70-31.ep7.el7
  • tomcat7-admin-webapps-0:7.0.70-31.ep7.el6
  • tomcat7-admin-webapps-0:7.0.70-31.ep7.el7
  • tomcat7-docs-webapp-0:7.0.70-31.ep7.el6
  • tomcat7-docs-webapp-0:7.0.70-31.ep7.el7
  • tomcat7-el-2.2-api-0:7.0.70-31.ep7.el6
  • tomcat7-el-2.2-api-0:7.0.70-31.ep7.el7
  • tomcat7-javadoc-0:7.0.70-31.ep7.el6
  • tomcat7-javadoc-0:7.0.70-31.ep7.el7
  • tomcat7-jsp-2.2-api-0:7.0.70-31.ep7.el6
  • tomcat7-jsp-2.2-api-0:7.0.70-31.ep7.el7
  • tomcat7-jsvc-0:7.0.70-31.ep7.el6
  • tomcat7-jsvc-0:7.0.70-31.ep7.el7
  • tomcat7-lib-0:7.0.70-31.ep7.el6
  • tomcat7-lib-0:7.0.70-31.ep7.el7
  • tomcat7-log4j-0:7.0.70-31.ep7.el6
  • tomcat7-log4j-0:7.0.70-31.ep7.el7
  • tomcat7-selinux-0:7.0.70-31.ep7.el6
  • tomcat7-selinux-0:7.0.70-31.ep7.el7
  • tomcat7-servlet-3.0-api-0:7.0.70-31.ep7.el6
  • tomcat7-servlet-3.0-api-0:7.0.70-31.ep7.el7
  • tomcat7-webapps-0:7.0.70-31.ep7.el6
  • tomcat7-webapps-0:7.0.70-31.ep7.el7
  • tomcat8-0:8.0.36-35.ep7.el6
  • tomcat8-0:8.0.36-35.ep7.el7
  • tomcat8-admin-webapps-0:8.0.36-35.ep7.el6
  • tomcat8-admin-webapps-0:8.0.36-35.ep7.el7
  • tomcat8-docs-webapp-0:8.0.36-35.ep7.el6
  • tomcat8-docs-webapp-0:8.0.36-35.ep7.el7
  • tomcat8-el-2.2-api-0:8.0.36-35.ep7.el6
  • tomcat8-el-2.2-api-0:8.0.36-35.ep7.el7
  • tomcat8-javadoc-0:8.0.36-35.ep7.el6
  • tomcat8-javadoc-0:8.0.36-35.ep7.el7
  • tomcat8-jsp-2.3-api-0:8.0.36-35.ep7.el6
  • tomcat8-jsp-2.3-api-0:8.0.36-35.ep7.el7
  • tomcat8-jsvc-0:8.0.36-35.ep7.el6
  • tomcat8-jsvc-0:8.0.36-35.ep7.el7
  • tomcat8-lib-0:8.0.36-35.ep7.el6
  • tomcat8-lib-0:8.0.36-35.ep7.el7
  • tomcat8-log4j-0:8.0.36-35.ep7.el6
  • tomcat8-log4j-0:8.0.36-35.ep7.el7
  • tomcat8-selinux-0:8.0.36-35.ep7.el6
  • tomcat8-selinux-0:8.0.36-35.ep7.el7
  • tomcat8-servlet-3.1-api-0:8.0.36-35.ep7.el6
  • tomcat8-servlet-3.1-api-0:8.0.36-35.ep7.el7
  • tomcat8-webapps-0:8.0.36-35.ep7.el6
  • tomcat8-webapps-0:8.0.36-35.ep7.el7
  • tomcat-0:7.0.76-9.el7_6
  • tomcat-admin-webapps-0:7.0.76-9.el7_6
  • tomcat-docs-webapp-0:7.0.76-9.el7_6
  • tomcat-el-2.2-api-0:7.0.76-9.el7_6
  • tomcat-javadoc-0:7.0.76-9.el7_6
  • tomcat-jsp-2.2-api-0:7.0.76-9.el7_6
  • tomcat-jsvc-0:7.0.76-9.el7_6
  • tomcat-lib-0:7.0.76-9.el7_6
  • tomcat-servlet-3.0-api-0:7.0.76-9.el7_6
  • tomcat-webapps-0:7.0.76-9.el7_6
  • apache-commons-collections-0:3.2.2-10.module+el8.0.0+3248+9d514f3b
  • apache-commons-lang-0:2.6-21.module+el8.0.0+3248+9d514f3b
  • bea-stax-api-0:1.2.0-16.module+el8.0.0+3248+9d514f3b
  • glassfish-fastinfoset-0:1.2.13-9.module+el8.0.0+3248+9d514f3b
  • glassfish-jaxb-api-0:2.2.12-8.module+el8.0.0+3248+9d514f3b
  • glassfish-jaxb-core-0:2.2.11-11.module+el8.0.0+3248+9d514f3b
  • glassfish-jaxb-runtime-0:2.2.11-11.module+el8.0.0+3248+9d514f3b
  • glassfish-jaxb-txw2-0:2.2.11-11.module+el8.0.0+3248+9d514f3b
  • jackson-annotations-0:2.9.8-1.module+el8.0.0+3248+9d514f3b
  • jackson-core-0:2.9.8-1.module+el8.0.0+3248+9d514f3b
  • jackson-databind-0:2.9.8-1.module+el8.0.0+3248+9d514f3b
  • jackson-jaxrs-json-provider-0:2.9.8-1.module+el8.0.0+3248+9d514f3b
  • jackson-jaxrs-providers-0:2.9.8-1.module+el8.0.0+3248+9d514f3b
  • jackson-module-jaxb-annotations-0:2.7.6-4.module+el8.0.0+3248+9d514f3b
  • jakarta-commons-httpclient-1:3.1-28.module+el8.0.0+3248+9d514f3b
  • javassist-0:3.18.1-8.module+el8.0.0+3248+9d514f3b
  • javassist-javadoc-0:3.18.1-8.module+el8.0.0+3248+9d514f3b
  • pki-servlet-4.0-api-1:9.0.7-14.module+el8.0.0+3248+9d514f3b
  • pki-servlet-container-1:9.0.7-14.module+el8.0.0+3248+9d514f3b
  • python-nss-debugsource-0:1.0.1-10.module+el8.0.0+3248+9d514f3b
  • python-nss-doc-0:1.0.1-10.module+el8.0.0+3248+9d514f3b
  • python3-nss-0:1.0.1-10.module+el8.0.0+3248+9d514f3b
  • python3-nss-debuginfo-0:1.0.1-10.module+el8.0.0+3248+9d514f3b
  • relaxngDatatype-0:2011.1-7.module+el8.0.0+3248+9d514f3b
  • resteasy-0:3.0.26-3.module+el8.0.0+3248+9d514f3b
  • slf4j-0:1.7.25-4.module+el8.0.0+3248+9d514f3b
  • slf4j-jdk14-0:1.7.25-4.module+el8.0.0+3248+9d514f3b
  • stax-ex-0:1.7.7-8.module+el8.0.0+3248+9d514f3b
  • velocity-0:1.7-24.module+el8.0.0+3248+9d514f3b
  • xalan-j2-0:2.7.1-38.module+el8.0.0+3248+9d514f3b
  • xerces-j2-0:2.11.0-34.module+el8.0.0+3248+9d514f3b
  • xml-commons-apis-0:1.4.01-25.module+el8.0.0+3248+9d514f3b
  • xml-commons-resolver-0:1.2-26.module+el8.0.0+3248+9d514f3b
  • xmlstreambuffer-0:1.5.4-8.module+el8.0.0+3248+9d514f3b
  • xsom-0:0-19.20110809svn.module+el8.0.0+3248+9d514f3b
refmap via4
bid 105524
bugtraq 20191229 [SECURITY] [DSA 4596-1] tomcat8 security update
confirm
debian DSA-4596
fedora FEDORA-2018-b18f9dd65b
misc
mlist
  • [announce] 20181003 [SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect
  • [debian-lts-announce] 20181014 [SECURITY] [DLA 1544-1] tomcat7 security update
  • [debian-lts-announce] 20181015 [SECURITY] [DLA 1545-1] tomcat8 security update
  • [tomcat-dev] 20190319 svn commit: r1855831 [24/30] - in /tomcat/site/trunk: ./ docs/ xdocs/
  • [tomcat-dev] 20190319 svn commit: r1855831 [25/30] - in /tomcat/site/trunk: ./ docs/ xdocs/
  • [tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
  • [tomcat-dev] 20190325 svn commit: r1856174 [23/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
  • [tomcat-dev] 20190325 svn commit: r1856174 [24/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
  • [tomcat-dev] 20190413 svn commit: r1857494 [16/20] - in /tomcat/site/trunk: ./ docs/ xdocs/
  • [tomcat-dev] 20190413 svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/
  • [tomcat-dev] 20190413 svn commit: r1857496 [3/4] - in /tomcat/site/trunk: ./ docs/ xdocs/
  • [tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/
  • [tomcat-dev] 20190415 svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/
  • [tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/
  • [tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/
  • [tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/
  • [tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/
  • [tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/
  • [tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/
suse
  • openSUSE-SU-2019:1547
  • openSUSE-SU-2019:1814
ubuntu USN-3787-1
Last major update 11-06-2019 - 22:29
Published 04-10-2018 - 13:29
Last modified 11-06-2019 - 22:29
Back to Top