CVE-2018-11784
Redirect vulnerability in tomcat-embed-core (Maven)
What is CVE-2018-11784 About?
This vulnerability in Apache Tomcat's default servlet allows attackers to craft a special URL that can manipulate the redirect location when a request to a directory is made without a trailing slash. This can lead to arbitrary URI redirects, potentially enabling phishing or other client-side attacks. Exploitation is relatively easy, requiring only a specially crafted URL.
Affected Software
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0, <9.0.12
- >8.5.0, <8.5.34
- >7.0.23, <7.0.91
Technical Details
The vulnerability occurs in Apache Tomcat's default servlet when it handles a request to a directory URI that omits the trailing slash (e.g., /foo instead of /foo/). Under normal circumstances, the default servlet will issue an HTTP redirect to the canonical URI with the trailing slash (/foo/). However, a flaw in how this redirect URL is constructed allows a specially crafted input within the original request URI to interfere with the redirect location. An attacker can inject arbitrary URI components into the request, causing the resulting redirect to point to an attacker-controlled external URI. This effectively allows for an open redirect, leveraging the Tomcat server to redirect users to malicious websites.
What is the Impact of CVE-2018-11784?
Successful exploitation may allow attackers to redirect users to arbitrary malicious websites, potentially leading to phishing attacks, credential theft, or drive-by downloads.
What is the Exploitability of CVE-2018-11784?
Exploitation of this vulnerability is straightforward and requires no authentication or special privileges. An attacker simply needs to construct and send a specially crafted HTTP request containing a malicious URI to the vulnerable Tomcat server. The attack is remote and relies on the server's response (a redirect) to affect the client. The complexity is low, as it primarily involves string manipulation in the URL. Users clicking on or being directed to such a crafted URL would be subject to the redirect, which increases the likelihood of a successful attack if the URL is disseminated.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Cappricio-Securities | Link | Apache Tomcat - Open Redirect |
What are the Available Fixes for CVE-2018-11784?
About the Fix from Resolved Security
The patch prevents the generation of protocol-relative redirects (e.g., URLs starting with "//") in Apache Tomcat's DefaultServlet by stripping redundant leading slashes before issuing redirects. This fixes CVE-2018-11784 because such redirects could allow attackers to force victims to access untrusted sites or perform phishing attacks via crafted URLs, bypassing same-origin policies.
Available Upgrade Options
- org.apache.tomcat.embed:tomcat-embed-core
- >7.0.23, <7.0.91 → Upgrade to 7.0.91
- org.apache.tomcat.embed:tomcat-embed-core
- >8.5.0, <8.5.34 → Upgrade to 8.5.34
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0, <9.0.12 → Upgrade to 9.0.12
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
- http://www.securityfocus.com/bid/105524
- https://lists.apache.org/thread.html/23134c9b5a23892a205dc140cdd8c9c0add233600f76b313dda6bd75%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2018/10/msg00005.html
- https://seclists.org/bugtraq/2019/Dec/43
What are Similar Vulnerabilities to CVE-2018-11784?
Similar Vulnerabilities: CVE-2017-7670 , CVE-2015-5174 , CVE-2019-10086 , CVE-2019-0210 , CVE-2014-0062
