Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 7.13.2, 8.0.2
Affects Version/s: 7.12.3, 7.13.0
Component/s: System Administration - General Configuration
Labels:

Fixed in Long Term Support Release/s:

Download 7.13
Introduced in Version:
7.12
Support reference count:
4
Symptom Severity:
Severity 2 - Major
UIS:
1
Bug Fix Policy:
View Atlassian Server bug fix policy

Open redirect in default servlet CVE-2018-11784

When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.

Fixed versions:

>=9.0.12

>=8.5.34

>=7.0.91

Workaround:

Use mapperDirectoryRedirectEnabled="true" and mapperContextRootRedirectEnabled="true" on the Context to ensure that redirects are issued by the Mapper rather than the default Servlet. See the Context configuration documentation for further important details.

relates to

BAM-20176 Default heap size for Bamboo service on Windows is too small

Closed

RAID-1043 Loading...

RAID-1047 Loading...

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(9 mentioned in)

Assignee:: Pawel Drygas (Inactive)

Reporter:: Ignat (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Due:: 06/Dec/2018

Created:: 10/Oct/2018 9:22 AM

Updated:: 22/May/2020 8:23 AM

Resolved:: 20/Feb/2019 8:32 AM

Details

Description

Open redirect in default servlet CVE-2018-11784

Attachments

Issue Links

Forms

Activity

People

Dates