PublicDateAtUSN: 2018-10-04
Candidate: CVE-2018-11784
PublicDate: 2018-10-04 13:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11784
 https://lists.apache.org/thread.html/23134c9b5a23892a205dc140cdd8c9c0add233600f76b313dda6bd75@%3Cannounce.tomcat.apache.org%3E
 https://ubuntu.com/security/notices/USN-3787-1
Description:
 When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11,
 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory
 (e.g. redirecting to '/foo/' when the user requested '/foo') a specially
 crafted URL could be used to cause the redirect to be generated to any URI
 of the attackers choice.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N [4.3 MEDIUM]

Patches_tomcat6:
upstream_tomcat6: needed
precise/esm_tomcat6: ignored (end of ESM support, was needed)
trusty_tomcat6: ignored (out of standard support)
trusty/esm_tomcat6: needed
xenial_tomcat6: ignored (end of standard support, was needed)
bionic_tomcat6: DNE
cosmic_tomcat6: DNE
disco_tomcat6: DNE
eoan_tomcat6: DNE
focal_tomcat6: DNE
groovy_tomcat6: DNE
hirsute_tomcat6: DNE
impish_tomcat6: DNE
jammy_tomcat6: DNE
devel_tomcat6: DNE

Patches_tomcat7:
 upstream: http://svn.apache.org/viewvc?view=revision&revision=1840057
upstream_tomcat7: released (7.0.91)
precise/esm_tomcat7: DNE
trusty_tomcat7: released (7.0.52-1ubuntu0.16)
trusty/esm_tomcat7: released (7.0.52-1ubuntu0.16)
xenial_tomcat7: ignored (end of standard support, was needed)
bionic_tomcat7: needed
cosmic_tomcat7: ignored (reached end-of-life)
disco_tomcat7: DNE
eoan_tomcat7: DNE
focal_tomcat7: DNE
groovy_tomcat7: DNE
hirsute_tomcat7: DNE
impish_tomcat7: DNE
jammy_tomcat7: DNE
devel_tomcat7: DNE

Patches_tomcat8:
 upstream: http://svn.apache.org/viewvc?view=revision&revision=1840056
upstream_tomcat8: released (8.5.34)
precise/esm_tomcat8: DNE
trusty_tomcat8: DNE
trusty/esm_tomcat8: DNE
xenial_tomcat8: released (8.0.32-1ubuntu1.8)
esm-infra/xenial_tomcat8: released (8.0.32-1ubuntu1.8)
bionic_tomcat8: released (8.5.39-1ubuntu1~18.04.1)
cosmic_tomcat8: released (8.5.39-1ubuntu1~18.10)
disco_tomcat8: DNE
eoan_tomcat8: DNE
focal_tomcat8: DNE
groovy_tomcat8: DNE
hirsute_tomcat8: DNE
impish_tomcat8: DNE
jammy_tomcat8: DNE
devel_tomcat8: DNE

Patches_tomcat8.0:
upstream_tomcat8.0: needs-triage
precise/esm_tomcat8.0: DNE
trusty_tomcat8.0: DNE
trusty/esm_tomcat8.0: DNE
xenial_tomcat8.0: DNE
bionic_tomcat8.0: DNE
cosmic_tomcat8.0: DNE
disco_tomcat8.0: DNE
eoan_tomcat8.0: DNE
focal_tomcat8.0: DNE
groovy_tomcat8.0: DNE
hirsute_tomcat8.0: DNE
impish_tomcat8.0: DNE
jammy_tomcat8.0: DNE
devel_tomcat8.0: DNE