Moderate severityNVD Advisory· Published Aug 25, 2023· Updated Oct 29, 2025
Apache Tomcat: Open redirect with FORM authentication
CVE-2023-41080
Description
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, EOL versions may also be affected.
The vulnerability is limited to the ROOT (default) web application.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcatMaven | >= 11.0.0-M1, < 11.0.0-M11 | 11.0.0-M11 |
org.apache.tomcat:tomcatMaven | >= 10.1.0-M1, < 10.1.13 | 10.1.13 |
org.apache.tomcat:tomcatMaven | >= 9.0.0-M1, < 9.0.80 | 9.0.80 |
org.apache.tomcat:tomcatMaven | >= 8.5.0, < 8.5.93 | 8.5.93 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 8.5.0, < 8.5.93 | 8.5.93 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 9.0.0-M1, < 9.0.80 | 9.0.80 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 10.1.0-M1, < 10.1.13 | 10.1.13 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 11.0.0-M1, < 11.0.0-M11 | 11.0.0-M11 |
org.apache.tomcat:tomcat-catalinaMaven | >= 10.1.0-M1, < 10.1.13 | 10.1.13 |
org.apache.tomcat:tomcat-catalinaMaven | >= 9.0.0-M1, < 9.0.80 | 9.0.80 |
org.apache.tomcat:tomcat-catalinaMaven | >= 8.5.0, < 8.5.93 | 8.5.93 |
Affected products
35- osv-coords34 versionspkg:apk/chainguard/spark-3.5.0-compatpkg:apk/chainguard/tomcat-8.5.87pkg:apk/chainguard/tomcat-8.5.87-jamf-compatpkg:bitnami/tomcatpkg:maven/org.apache.tomcat.embed/tomcat-embed-corepkg:maven/org.apache.tomcat/tomcatpkg:rpm/almalinux/tomcatpkg:rpm/almalinux/tomcat-admin-webappspkg:rpm/almalinux/tomcat-docs-webapppkg:rpm/almalinux/tomcat-el-3.0-apipkg:rpm/almalinux/tomcat-jsp-2.3-apipkg:rpm/almalinux/tomcat-libpkg:rpm/almalinux/tomcat-servlet-4.0-apipkg:rpm/almalinux/tomcat-webappspkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Manager%20Server%204.2
< 3.5.0-r2+ 33 more
- (no CPE)range: < 3.5.0-r2
- (no CPE)range: < 8.5.87-r3
- (no CPE)range: < 8.5.87-r3
- (no CPE)range: >= 8.5.0, < 8.5.93
- (no CPE)range: >= 8.5.0, < 8.5.93
- (no CPE)range: >= 11.0.0-M1, < 11.0.0-M11
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 10.1.14-1.1
- (no CPE)range: < 9.0.80-1.1
- (no CPE)range: < 9.0.82-150200.46.1
- (no CPE)range: < 9.0.36-150100.4.98.1
- (no CPE)range: < 9.0.82-150200.46.1
- (no CPE)range: < 9.0.82-150200.46.1
- (no CPE)range: < 9.0.82-150200.46.1
- (no CPE)range: < 9.0.82-150200.46.1
- (no CPE)range: < 9.0.82-150200.46.1
- (no CPE)range: < 9.0.36-3.108.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.36-150100.4.98.1
- (no CPE)range: < 9.0.82-150200.46.1
- (no CPE)range: < 9.0.82-150200.46.1
- (no CPE)range: < 9.0.36-3.108.1
- (no CPE)range: < 9.0.36-150100.4.98.1
- (no CPE)range: < 9.0.82-150200.46.1
- (no CPE)range: < 9.0.82-150200.46.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.82-150200.46.1
- Apache Software Foundation/Apache Tomcatv5Range: 11.0.0-M1
Patches
Vulnerability mechanics
References
11- github.com/advisories/GHSA-q3mw-pvr8-9ggcghsaADVISORY
- lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2fghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-41080ghsaADVISORY
- github.com/apache/tomcat/commit/4998ad745b67edeadefe541c94ed029b53933d3bghsaWEB
- github.com/apache/tomcat/commit/77c0ce2d169efa248b64b992e547aad549ec906bghsaWEB
- github.com/apache/tomcat/commit/bb4624a9f3e69d495182ebfa68d7983076407a27ghsaWEB
- github.com/apache/tomcat/commit/e3703c9abb8fe0d5602f6ba8a8f11d4b6940815aghsaWEB
- lists.debian.org/debian-lts-announce/2023/10/msg00020.htmlghsaWEB
- security.netapp.com/advisory/ntap-20230921-0006ghsaWEB
- www.debian.org/security/2023/dsa-5521ghsaWEB
- www.debian.org/security/2023/dsa-5522ghsaWEB
News mentions
0No linked articles in our index yet.