CVE-2023-41080

Aliases:GHSA-q3mw-pvr8-9ggcBIT-tomcat-2023-41080

Advisory lineage Upstream: 0 Downstream: 16

Downstream

DEBIAN-CVE-2023-41080 DLA-3617-1 DSA-5521-1 DSA-5522-1 OPENSUSE-SU-2024:13256-1 OPENSUSE-SU-2024:13441-1

Modified

Published: 25 Aug 2023, 20:39

Last modified:29 Oct 2025, 12:04

Vulnerability Summary

Overall Risk (default)

medium

27/100

CVSS Score

6.1 MEDIUM

v3.1 (nvd)

EPSS Score

11.59% MEDIUM

12% probability +0.24%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

25 Aug 2023, 20:39

Published

Vulnerability first disclosed

29 Oct 2025, 12:04

Last Modified

Vulnerability information updated

Description

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, EOL versions may also be affected. The vulnerability is limited to the ROOT (default) web application.

CVSS Metrics

v3.1•MEDIUM•Score: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Trends

Current EPSS score: 11.59%• Percentile: 94%

Techniques & Countermeasures

CWE-601•URL Redirection to Untrusted Site ('Open Redirect')
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Affected Systems

apache software foundation•apache tomcat
≥ 11.0.0-M1, ≤ 11.0.0-M10 | ≥ 10.1.0-M1, ≤ 10.0.12 | ≥ 9.0.0-M1, ≤ 9.0.79 | ≥ 8.5.0, ≤ 8.5.92
Unknown•Tomcat
≥ 8.5.0, ≤ 8.5.92 | ≥ 9.0.0, ≤ 9.0.79 | ≥ 10.1.0, ≤ 10.1.12 | 11.0.0:milestone1 | 11.0.0:milestone10 | 11.0.0:milestone2 | 11.0.0:milestone3 | 11.0.0:milestone4 | 11.0.0:milestone5 | 11.0.0:milestone6 | 11.0.0:milestone7 | 11.0.0:milestone8 | 11.0.0:milestone9
debian•debian_linux
10.0 | 11.0
org.apache.tomcat•tomcat
≥ 11.0.0-M1, < 11.0.0-M11 | ≥ 10.1.0-M1, < 10.1.13 | ≥ 9.0.0-M1, < 9.0.80 | ≥ 8.5.0, < 8.5.93
org.apache.tomcat.embed•tomcat-embed-core
≥ 8.5.0, < 8.5.93 | ≥ 9.0.0-M1, < 9.0.80 | ≥ 10.1.0-M1, < 10.1.13 | ≥ 11.0.0-M1, < 11.0.0-M11