CVE-2023-41080: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in tomcat-embed-core (Maven)

What is CVE-2023-41080 About?

This vulnerability is an Open Redirect flaw in the FORM authentication feature of Apache Tomcat. It allows an attacker to redirect users to arbitrary untrusted sites, potentially leading to phishing attacks. Exploiting this vulnerability is straightforward for an attacker.

Affected Software

org.apache.tomcat:tomcat
- >10.1.0-M1, <10.1.13
- >8.5.0, <8.5.93
- >11.0.0-M1, <11.0.0-M11
- >9.0.0-M1, <9.0.80
org.apache.tomcat.embed:tomcat-embed-core
- >10.1.0-M1, <10.1.13
- >8.5.0, <8.5.93
- >11.0.0-M1, <11.0.0-M11
- >9.0.0-M1, <9.0.80

Technical Details

The vulnerability occurs within the FORM authentication feature of Apache Tomcat. When a user attempts to access a protected resource, they are redirected to a login page. After successful authentication, the user is typically redirected back to the originally requested resource. This vulnerability arises if the redirection logic does not properly validate the redirect or next parameter (or similar), allowing an attacker to supply an arbitrary external URL. When the server redirects the user after authentication, it uses this attacker-supplied URL, thereby leading the user to an untrusted site under the attacker's control. This specifically impacts the ROOT (default) web application.

What is the Impact of CVE-2023-41080?

Successful exploitation may allow attackers to redirect users to malicious websites, facilitating phishing campaigns, malware delivery, or credential theft.

What is the Exploitability of CVE-2023-41080?

Exploitation requires crafting a malicious URL that includes an unvalidated redirection parameter pointing to an arbitrary external site. This is a low-complexity attack. No authentication is strictly required for the initial redirection, but it often occurs within the context of a FORM authentication flow, where the user is expecting a legitimate redirect post-login. No special privileges are needed. The attack is remote and relies on user interaction, specifically clicking on a specially crafted link. The likelihood of exploitation increases if the vulnerable instance is publicly accessible and used for user authentication.

What are the Known Public Exploits?

PoC Author	Link	Commentary
shiomiyan	Link	PoC for CVE-2023-41080

What are the Available Fixes for CVE-2023-41080?

A Fix by Resolved Security Exists!

Learn how our approach backports security patches directly to your dependencies.

About the Fix from Resolved Security

The patch removes leading slashes from saved request URLs in the FORM authenticator to prevent protocol-relative redirects (e.g., URLs starting with "//"), which could allow attackers to redirect users to malicious sites. This addresses CVE-2023-41080 by ensuring that redirects always remain on the same protocol and origin, mitigating open redirect vulnerabilities.

Available Upgrade Options

org.apache.tomcat.embed:tomcat-embed-core
- >8.5.0, <8.5.93 → Upgrade to 8.5.93
org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0-M1, <9.0.80 → Upgrade to 9.0.80
org.apache.tomcat.embed:tomcat-embed-core
- >10.1.0-M1, <10.1.13 → Upgrade to 10.1.13
org.apache.tomcat.embed:tomcat-embed-core
- >11.0.0-M1, <11.0.0-M11 → Upgrade to 11.0.0-M11
org.apache.tomcat:tomcat
- >8.5.0, <8.5.93 → Upgrade to 8.5.93
org.apache.tomcat:tomcat
- >9.0.0-M1, <9.0.80 → Upgrade to 9.0.80
org.apache.tomcat:tomcat
- >10.1.0-M1, <10.1.13 → Upgrade to 10.1.13
org.apache.tomcat:tomcat
- >11.0.0-M1, <11.0.0-M11 → Upgrade to 11.0.0-M11

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2023-41080?

Similar Vulnerabilities: CVE-2023-28370 , CVE-2023-39968 , CVE-2022-23307 , CVE-2020-15509 , CVE-2019-17558

CVE-2023-41080 URL Redirection to Untrusted Site ('Open Redirect') vulnerability in tomcat-embed-core (Maven)