Shaofeng SHI created KYLIN-3611:
-----------------------------------
Summary: Upgrade Tomcat to 7.0.91, 8.5.34 or later
Key: KYLIN-3611
URL: https://issues.apache.org/jira/browse/KYLIN-3611
Project: Kylin
Issue Type: Improvement
Reporter: Shaofeng SHI
h2. [SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect
CVE-2018-11784 Apache Tomcat - Open Redirect
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.11
Apache Tomcat 8.5.0 to 8.5.33
Apache Tomcat 7.0.23 to 7.0.90
The unsupported 8.0.x release line has not been analysed but is likely
to be affected.
Description:
When the default servlet returned a redirect to a directory (e.g.
redirecting to '/foo/' when the user requested '/foo') a specially
crafted URL could be used to cause the redirect to be generated to any
URI of the attackers choice.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 9.0.12 or later.
- Upgrade to Apache Tomcat 8.5.34 or later.
- Upgrade to Apache Tomcat 7.0.91 or later.
- Use mapperDirectoryRedirectEnabled="true" and
mapperContextRootRedirectEnabled="true" on the Context to ensure that
redirects are issued by the Mapper rather than the default Servlet.
See the Context configuration documentation for further important
details.
Credit:
This vulnerability was found by Sergey Bobrov and reported responsibly
to the Apache Tomcat Security Team.
History:
2018-10-03 Original advisory
References:
[1] [http://tomcat.apache.org/security-9.html]
[2] [http://tomcat.apache.org/security-8.html]
[3] [http://tomcat.apache.org/security-7.html]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
