CVE-2023-41080: 
Java vulnerability analysis and mitigation

CVE-2023-41080 is a URL Redirection to Untrusted Site ('Open Redirect') vulnerability discovered in the FORM authentication feature of Apache Tomcat. The vulnerability affects multiple versions of Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79, and from 8.5.0 through 8.5.92. The vulnerability is specifically limited to the ROOT (default) web application (Apache Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue specifically affects the ROOT (default) web application when configured to use FORM authentication, where a specially crafted URL could be used to trigger a redirect to a URL of the attacker's choice (NetApp Advisory).

When successfully exploited, this vulnerability could lead to disclosure of sensitive information or addition or modification of data. The vulnerability allows an attacker to redirect users to malicious websites through the manipulation of the authentication system (NetApp Advisory).

Multiple vendors have released patches to address this vulnerability. Apache Tomcat has released fixed versions: 8.5.93, 9.0.80, and 10.1.13. Debian has also released security updates for affected packages in version 10.1.6-1+deb12u1 for tomcat10 and version 9.0.43-2~deb11u7 for tomcat9 (Debian Advisory, Debian Advisory).