kylin-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shaofeng SHI (JIRA)" <>
Subject [jira] [Created] (KYLIN-3611) Upgrade Tomcat to 7.0.91, 8.5.34 or later
Date Thu, 04 Oct 2018 01:26:00 GMT
Shaofeng SHI created KYLIN-3611:

             Summary: Upgrade Tomcat to 7.0.91, 8.5.34 or later
                 Key: KYLIN-3611
             Project: Kylin
          Issue Type: Improvement
            Reporter: Shaofeng SHI

h2. [SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect
CVE-2018-11784 Apache Tomcat - Open Redirect

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.11
Apache Tomcat 8.5.0 to 8.5.33
Apache Tomcat 7.0.23 to 7.0.90
The unsupported 8.0.x release line has not been analysed but is likely
to be affected.

When the default servlet returned a redirect to a directory (e.g.
redirecting to '/foo/' when the user requested '/foo') a specially
crafted URL could be used to cause the redirect to be generated to any
URI of the attackers choice.

Users of the affected versions should apply one of the following
- Upgrade to Apache Tomcat 9.0.12 or later.
- Upgrade to Apache Tomcat 8.5.34 or later.
- Upgrade to Apache Tomcat 7.0.91 or later.
- Use mapperDirectoryRedirectEnabled="true" and
  mapperContextRootRedirectEnabled="true" on the Context to ensure that
  redirects are issued by the Mapper rather than the default Servlet.
  See the Context configuration documentation for further important

This vulnerability was found by Sergey Bobrov and reported responsibly
to the Apache Tomcat Security Team.

2018-10-03 Original advisory

[1] []
[2] []
[3] []

This message was sent by Atlassian JIRA

View raw message