https://bz.apache.org/bugzilla/show_bug.cgi?id=66032
Bug ID: 66032
Summary: Tomcat 8.5.61 vulnerable to CVE-2018-11784
Product: Tomcat 8
Version: 8.5.61
Hardware: HP
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: cristian.ce...@nexigroup.com
Target Milestone: ----
Hello,
we upgraded our Tomcat version from 7.0.78 prior to 7.0.96 and then to 8.5.61
because we know that those releases were not affected by vulnerability
CVE-2018-11784, in fact, CVE says:
"When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0
to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g.
redirecting to '/foo/' when the user requested '/foo') a specially crafted URL
could be used to cause the redirect to be generated to any URI of the attackers
choice.
"
but, after both the upgrades, the vulnerability was re-checked and the company
which scans our applications says that it is still present.
We run Tomcat 8.5.61 on RHV virtual machines with Red Hat Enterprise Linux
Server release 7.3 (Maipo) kernel 3.10.0-514.26.2.el7.x86_64.
Are anyone aware of this issue? Do we do anything wrong?
Thanks in advance,
cristian
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
