Home

CVE-2018-11784

Description

When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to /foo/ when the user requested /foo) a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.

Risk Information

Base Score
4.3
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
EPSS Score
Exploitation Probability
85.117

Associated Vulnerability

VulnerabilityOS Platform
Vulnerability CVE-2018-11784 are affected in Tomcat 9.0.11Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.3.0Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.3.1Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.4.0Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.4.1Windows
Vulnerabilities CVE-2018-11784 are fixed in Apache - tomcat-embed-core 8.5.34Windows
Vulnerabilities CVE-2018-11784 are fixed in Apache - tomcat-embed-core 7.0.91Windows
Vulnerabilities CVE-2018-11784 are fixed in Apache - tomcat-embed-core 9.0.12Windows
Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 6.2.7.3Windows
Vulnerabilities CVE-2017-7656,CVE-2017-7657,CVE-2017-7658,CVE-2018-11784 are affected in IBM UrbanCode Deploy 7.0.1.1Windows
Vulnerabilities CVE-2017-1752,CVE-2018-11784 are affected in IBM UrbanCode Deploy 6.1.3.8Windows
Servlet and JSP engine (USN-3081-1) libtomcat7-java_7.0.52-1ubuntu0.16_all.debLinux
Servlet and JSP engine (USN-3204-1) libtomcat7-java_7.0.52-1ubuntu0.16_all.debLinux
Servlet and JSP engine (USN-3665-1) libtomcat7-java_7.0.52-1ubuntu0.16_all.debLinux
Servlet and JSP engine (USN-3723-1) libtomcat7-java_7.0.52-1ubuntu0.16_all.debLinux
Servlet and JSP engine (USN-3787-1) tomcat7_7.0.52-1ubuntu0.16_all.debLinux
Servlet and JSP engine (USN-3787-1) tomcat8_8.0.32-1ubuntu1.8_all.debLinux
Servlet and JSP engine (USN-3787-1) libtomcat7-java_7.0.52-1ubuntu0.16_all.debLinux
Servlet and JSP engine (USN-3787-1) libtomcat8-java_8.0.32-1ubuntu1.8_all.debLinux
SUSE-SU-2018:3393-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-8.0.53-29.16.2.noarch.rpmLinux
SUSE-SU-2018:3393-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-admin-webapps-8.0.53-29.16.2.noarch.rpmLinux
SUSE-SU-2018:3393-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-docs-webapp-8.0.53-29.16.2.noarch.rpmLinux
SUSE-SU-2018:3393-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-el-3_0-api-8.0.53-29.16.2.noarch.rpmLinux
SUSE-SU-2018:3393-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-javadoc-8.0.53-29.16.2.noarch.rpmLinux
SUSE-SU-2018:3393-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-jsp-2_3-api-8.0.53-29.16.2.noarch.rpmLinux
SUSE-SU-2018:3393-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-lib-8.0.53-29.16.2.noarch.rpmLinux
SUSE-SU-2018:3393-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-servlet-3_1-api-8.0.53-29.16.2.noarch.rpmLinux
SUSE-SU-2018:3393-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-webapps-8.0.53-29.16.2.noarch.rpmLinux
SUSE-SU-2018:3935-1(SUSE Linux Enterprise Server 11-SP4 ) tomcat6-6.0.53-0.57.10.1.noarch.rpmLinux
SUSE-SU-2018:3935-1(SUSE Linux Enterprise Server 11-SP4 ) tomcat6-admin-webapps-6.0.53-0.57.10.1.noarch.rpmLinux
SUSE-SU-2018:3935-1(SUSE Linux Enterprise Server 11-SP4 ) tomcat6-docs-webapp-6.0.53-0.57.10.1.noarch.rpmLinux
SUSE-SU-2018:3935-1(SUSE Linux Enterprise Server 11-SP4 ) tomcat6-javadoc-6.0.53-0.57.10.1.noarch.rpmLinux
SUSE-SU-2018:3935-1(SUSE Linux Enterprise Server 11-SP4 ) tomcat6-jsp-2_1-api-6.0.53-0.57.10.1.noarch.rpmLinux
SUSE-SU-2018:3935-1(SUSE Linux Enterprise Server 11-SP4 ) tomcat6-lib-6.0.53-0.57.10.1.noarch.rpmLinux
SUSE-SU-2018:3935-1(SUSE Linux Enterprise Server 11-SP4 ) tomcat6-servlet-2_5-api-6.0.53-0.57.10.1.noarch.rpmLinux
SUSE-SU-2018:3935-1(SUSE Linux Enterprise Server 11-SP4 ) tomcat6-webapps-6.0.53-0.57.10.1.noarch.rpmLinux
(RHSA-2019:0485) tomcat security update tomcat-7.0.76-9.el7_6.noarch.rpmLinux
(RHSA-2019:0485) tomcat security update tomcat-admin-webapps-7.0.76-9.el7_6.noarch.rpmLinux
(RHSA-2019:0485) tomcat security update tomcat-docs-webapp-7.0.76-9.el7_6.noarch.rpmLinux
(RHSA-2019:0485) tomcat security update tomcat-el-2.2-api-7.0.76-9.el7_6.noarch.rpmLinux
(RHSA-2019:0485) tomcat security update tomcat-javadoc-7.0.76-9.el7_6.noarch.rpmLinux
(RHSA-2019:0485) tomcat security update tomcat-jsp-2.2-api-7.0.76-9.el7_6.noarch.rpmLinux
(RHSA-2019:0485) tomcat security update tomcat-jsvc-7.0.76-9.el7_6.noarch.rpmLinux
(RHSA-2019:0485) tomcat security update tomcat-lib-7.0.76-9.el7_6.noarch.rpmLinux
(RHSA-2019:0485) tomcat security update tomcat-servlet-3.0-api-7.0.76-9.el7_6.noarch.rpmLinux
(RHSA-2019:0485) tomcat security update tomcat-webapps-7.0.76-9.el7_6.noarch.rpmLinux
tomcat8 security update(DSA-4596-1) tomcat8_8.5.50-0+deb9u1_all.debLinux
(RHSA-2019:1529) pki-deps:10.6 security update pki-servlet-container-9.0.7-14.module+el8.0.0+3248+9d514f3b.noarch.rpmLinux
Python-nss-doc update (ELSA-2019-1529) python-nss-doc-1.0.1-10.module+el8.0.0+5231+3e842911.x86_64.rpmLinux
Python3-nss update (ELSA-2019-1529) python3-nss-1.0.1-10.module+el8.0.0+5231+3e842911.x86_64.rpmLinux
Apache-commons-collections update (ELSA-2019-1529) apache-commons-collections-3.2.2-10.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Apache-commons-lang update (ELSA-2019-1529) apache-commons-lang-2.6-21.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Bea-stax-api update (ELSA-2019-1529) bea-stax-api-1.2.0-16.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Glassfish-fastinfoset update (ELSA-2019-1529) glassfish-fastinfoset-1.2.13-9.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Glassfish-jaxb-api update (ELSA-2019-1529) glassfish-jaxb-api-2.2.12-8.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Glassfish-jaxb-core update (ELSA-2019-1529) glassfish-jaxb-core-2.2.11-11.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Glassfish-jaxb-runtime update (ELSA-2019-1529) glassfish-jaxb-runtime-2.2.11-11.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Glassfish-jaxb-txw2 update (ELSA-2019-1529) glassfish-jaxb-txw2-2.2.11-11.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Jackson-annotations update (ELSA-2019-1529) jackson-annotations-2.9.8-1.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Jackson-core update (ELSA-2019-1529) jackson-core-2.9.8-1.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Jackson-databind update (ELSA-2019-1529) jackson-databind-2.9.8-1.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Jackson-jaxrs-json-provider update (ELSA-2019-1529) jackson-jaxrs-json-provider-2.9.8-1.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Jackson-jaxrs-providers update (ELSA-2019-1529) jackson-jaxrs-providers-2.9.8-1.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Jackson-module-jaxb-annotations update (ELSA-2019-1529) jackson-module-jaxb-annotations-2.7.6-4.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Jakarta-commons-httpclient update (ELSA-2019-1529) jakarta-commons-httpclient-3.1-28.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Javassist update (ELSA-2019-1529) javassist-3.18.1-8.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Javassist-javadoc update (ELSA-2019-1529) javassist-javadoc-3.18.1-8.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Pki-servlet-4.0-api update (ELSA-2019-1529) pki-servlet-4.0-api-9.0.7-14.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Pki-servlet-container update (ELSA-2019-1529) pki-servlet-container-9.0.7-14.module+el8.0.0+5231+3e842911.noarch.rpmLinux
RelaxngDatatype update (ELSA-2019-1529) relaxngDatatype-2011.1-7.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Resteasy update (ELSA-2019-1529) resteasy-3.0.26-3.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Slf4j update (ELSA-2019-1529) slf4j-1.7.25-4.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Slf4j-jdk14 update (ELSA-2019-1529) slf4j-jdk14-1.7.25-4.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Stax-ex update (ELSA-2019-1529) stax-ex-1.7.7-8.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Velocity update (ELSA-2019-1529) velocity-1.7-24.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Xalan-j2 update (ELSA-2019-1529) xalan-j2-2.7.1-38.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Xerces-j2 update (ELSA-2019-1529) xerces-j2-2.11.0-34.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Xml-commons-apis update (ELSA-2019-1529) xml-commons-apis-1.4.01-25.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Xml-commons-resolver update (ELSA-2019-1529) xml-commons-resolver-1.2-26.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Xmlstreambuffer update (ELSA-2019-1529) xmlstreambuffer-1.5.4-8.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Xsom update (ELSA-2019-1529) xsom-0-19.20110809svn.module+el8.0.0+5231+3e842911.noarch.rpmLinux
Vulnerability CVE-2018-11784 are affected in Tomcat 9.0.11 (For Linux)Linux
pki-deps:10.6 security update (RLSA-2019:1529) slf4j-1.7.25-4.module+el8.5.0+697+f586bb30.noarch.rpmLinux
pki-deps:10.6 security update (RLSA-2019:1529) velocity-1.7-24.module+el8.3.0+53+ea062990.noarch.rpmLinux
pki-deps:10.6 security update (RLSA-2019:1529) xalan-j2-2.7.1-38.module+el8.3.0+53+ea062990.noarch.rpmLinux
pki-deps:10.6 security update (RLSA-2019:1529) javassist-3.18.1-8.module+el8.3.0+53+ea062990.noarch.rpmLinux
pki-deps:10.6 security update (RLSA-2019:1529) xerces-j2-2.11.0-34.module+el8.3.0+53+ea062990.noarch.rpmLinux
pki-deps:10.6 security update (RLSA-2019:1529) javassist-javadoc-3.18.1-8.module+el8.3.0+53+ea062990.noarch.rpmLinux
pki-deps:10.6 security update (RLSA-2019:1529) apache-commons-lang-2.6-21.module+el8.3.0+53+ea062990.noarch.rpmLinux
pki-deps:10.6 security update (RLSA-2019:1529) xml-commons-resolver-1.2-26.module+el8.3.0+53+ea062990.noarch.rpmLinux
pki-deps:10.6 security update (RLSA-2019:1529) apache-commons-collections-3.2.2-10.module+el8.3.0+53+ea062990.noarch.rpmLinux
pki-deps:10.6 security update (RLSA-2019:1529) jakarta-commons-httpclient-3.1-28.module+el8.3.0+53+ea062990.noarch.rpmLinux
Apache-commons-collections update (ELSA-2024-3061) apache-commons-collections-3.2.2-10.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Apache-commons-lang update (ELSA-2024-3061) apache-commons-lang-2.6-21.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Apache-commons-net update (ELSA-2024-3061) apache-commons-net-3.6-3.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Bea-stax-api update (ELSA-2024-3061) bea-stax-api-1.2.0-16.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Fasterxml-oss-parent update (ELSA-2024-3061) fasterxml-oss-parent-49-1.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Glassfish-fastinfoset update (ELSA-2024-3061) glassfish-fastinfoset-1.2.13-9.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Glassfish-jaxb-api update (ELSA-2024-3061) glassfish-jaxb-api-2.2.12-8.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Glassfish-jaxb-core update (ELSA-2024-3061) glassfish-jaxb-core-2.2.11-12.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Glassfish-jaxb-runtime update (ELSA-2024-3061) glassfish-jaxb-runtime-2.2.11-12.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Glassfish-jaxb-txw2 update (ELSA-2024-3061) glassfish-jaxb-txw2-2.2.11-12.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Idm-jss update (ELSA-2024-3061) idm-jss-4.11.0-1.module+el8.10.0+90282+4ef18d4b.x86_64.rpmLinux
Idm-jss-javadoc update (ELSA-2024-3061) idm-jss-javadoc-4.11.0-1.module+el8.10.0+90282+4ef18d4b.x86_64.rpmLinux
Idm-ldapjdk update (ELSA-2024-3061) idm-ldapjdk-4.24.0-1.module+el8.10.0+90282+4ef18d4b.noarch.rpmLinux
Idm-ldapjdk-javadoc update (ELSA-2024-3061) idm-ldapjdk-javadoc-4.24.0-1.module+el8.10.0+90282+4ef18d4b.noarch.rpmLinux
Idm-pki-acme update (ELSA-2024-3061) idm-pki-acme-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.noarch.rpmLinux
Idm-pki-base update (ELSA-2024-3061) idm-pki-base-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.noarch.rpmLinux
Idm-pki-base-java update (ELSA-2024-3061) idm-pki-base-java-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.noarch.rpmLinux
Idm-pki-ca update (ELSA-2024-3061) idm-pki-ca-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.noarch.rpmLinux
Idm-pki-kra update (ELSA-2024-3061) idm-pki-kra-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.noarch.rpmLinux
Idm-pki-server update (ELSA-2024-3061) idm-pki-server-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.noarch.rpmLinux
Idm-pki-symkey update (ELSA-2024-3061) idm-pki-symkey-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.x86_64.rpmLinux
Idm-pki-tools update (ELSA-2024-3061) idm-pki-tools-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.x86_64.rpmLinux
Idm-tomcatjss update (ELSA-2024-3061) idm-tomcatjss-7.8.0-1.module+el8.10.0+90282+4ef18d4b.noarch.rpmLinux
Jackson-annotations update (ELSA-2024-3061) jackson-annotations-2.14.2-1.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Jackson-bom update (ELSA-2024-3061) jackson-bom-2.14.2-1.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Jackson-core update (ELSA-2024-3061) jackson-core-2.14.2-1.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Jackson-databind update (ELSA-2024-3061) jackson-databind-2.14.2-1.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Jackson-jaxrs-json-provider update (ELSA-2024-3061) jackson-jaxrs-json-provider-2.14.2-1.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Jackson-jaxrs-providers update (ELSA-2024-3061) jackson-jaxrs-providers-2.14.2-1.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Jackson-module-jaxb-annotations update (ELSA-2024-3061) jackson-module-jaxb-annotations-2.14.2-2.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Jackson-modules-base update (ELSA-2024-3061) jackson-modules-base-2.14.2-2.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Jackson-parent update (ELSA-2024-3061) jackson-parent-2.14-1.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Jakarta-commons-httpclient update (ELSA-2024-3061) jakarta-commons-httpclient-3.1-28.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Javassist update (ELSA-2024-3061) javassist-3.18.1-8.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Javassist-javadoc update (ELSA-2024-3061) javassist-javadoc-3.18.1-8.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Pki-servlet-engine update (ELSA-2024-3061) pki-servlet-engine-9.0.62-1.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Python3-idm-pki update (ELSA-2024-3061) python3-idm-pki-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.noarch.rpmLinux
RelaxngDatatype update (ELSA-2024-3061) relaxngDatatype-2011.1-7.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Resteasy update (ELSA-2024-3061) resteasy-3.0.26-7.module+el8.10.0+90282+4ef18d4b.noarch.rpmLinux
Resteasy-javadoc update (ELSA-2024-3061) resteasy-javadoc-3.0.26-7.module+el8.10.0+90282+4ef18d4b.noarch.rpmLinux
Slf4j update (ELSA-2024-3061) slf4j-1.7.25-4.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Slf4j-jdk14 update (ELSA-2024-3061) slf4j-jdk14-1.7.25-4.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Stax-ex update (ELSA-2024-3061) stax-ex-1.7.7-8.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Velocity update (ELSA-2024-3061) velocity-1.7-24.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Xalan-j2 update (ELSA-2024-3061) xalan-j2-2.7.1-38.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Xerces-j2 update (ELSA-2024-3061) xerces-j2-2.11.0-34.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Xml-commons-apis update (ELSA-2024-3061) xml-commons-apis-1.4.01-25.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Xml-commons-resolver update (ELSA-2024-3061) xml-commons-resolver-1.2-26.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Xmlstreambuffer update (ELSA-2024-3061) xmlstreambuffer-1.5.4-8.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Xsom update (ELSA-2024-3061) xsom-0-19.20110809svn.module+el8.10.0+90302+23fbc0c1.noarch.rpmLinux
Vulnerabilities CVE-2018-11784 are fixed in Apache - tomcat-embed-core for Linux 8.5.34Linux
Vulnerabilities CVE-2018-11784 are fixed in Apache - tomcat-embed-core for Linux 7.0.91Linux
Vulnerabilities CVE-2018-11784 are fixed in Apache - tomcat-embed-core for Linux 9.0.12Linux
URL Redirection to Untrusted Site (Open Redirect) Vulnerability (CVE-2018-11784)NCM

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234