CVE-2023-41080 Overview
CVE-2023-41080 is an Open Redirect vulnerability (CWE-601) affecting the FORM authentication feature in Apache Tomcat. This vulnerability allows attackers to redirect users to untrusted external sites after authentication, potentially enabling phishing attacks or credential theft. The issue specifically impacts the ROOT (default) web application and affects multiple versions across the Tomcat 8.5, 9.0, 10.x, and 11.x release branches.
Critical Impact
Attackers can exploit this vulnerability to redirect authenticated users to malicious websites, facilitating phishing campaigns, credential harvesting, and social engineering attacks against organizations using affected Apache Tomcat deployments.
Affected Products
- Apache Tomcat 11.0.0-M1 through 11.0.0-M10
- Apache Tomcat 10.1.0-M1 through 10.0.12
- Apache Tomcat 9.0.0-M1 through 9.0.79
- Apache Tomcat 8.5.0 through 8.5.92
- Debian Linux 10.0 and 11.0
Discovery Timeline
- 2023-08-25 - CVE CVE-2023-41080 published to NVD
- 2025-08-07 - Last updated in NVD database
Technical Details for CVE-2023-41080
Vulnerability Analysis
This Open Redirect vulnerability exists within the FORM-based authentication mechanism of Apache Tomcat. When FORM authentication is used, Tomcat redirects users to a specified URL after successful authentication. The vulnerability arises because the application does not properly validate or sanitize the redirect URL parameter, allowing attackers to craft malicious URLs that redirect authenticated users to attacker-controlled external sites.
The vulnerability is specifically limited to the ROOT (default) web application, meaning only deployments using the default context path are directly affected. Older, end-of-life (EOL) versions of Tomcat may also be vulnerable. This type of vulnerability is commonly exploited in phishing attacks where users believe they are on a legitimate site but are redirected to a malicious domain after logging in.
Root Cause
The root cause of CVE-2023-41080 is improper URL validation in the FORM authentication redirect handling logic. When processing authentication requests, Tomcat fails to adequately verify that the redirect destination URL points to a trusted internal resource. This allows attackers to inject arbitrary URLs, including external domains, into the authentication flow.
The FORM authentication mechanism stores the original requested URL and redirects the user back to it after successful authentication. Without proper validation, this redirect target can be manipulated to point to any URL, including malicious external sites.
Attack Vector
The attack vector for this vulnerability is network-based and requires user interaction. An attacker can exploit this vulnerability by crafting a malicious URL to the affected Tomcat application that includes a redirect parameter pointing to an attacker-controlled site. When a victim clicks this link and authenticates, they are redirected to the malicious site.
A typical attack scenario involves:
- The attacker crafts a URL to the vulnerable Tomcat application containing a malicious redirect destination
- The attacker delivers this link to potential victims via phishing emails, social media, or other means
- The victim clicks the link and is presented with the legitimate Tomcat login page
- After the victim successfully authenticates, Tomcat redirects them to the attacker-controlled malicious site
- The victim, believing they are still on the legitimate site, may enter additional credentials or sensitive information
This technique is particularly effective because the initial login page is legitimate, building user trust before the malicious redirect occurs.
Detection Methods for CVE-2023-41080
Indicators of Compromise
- HTTP requests to the authentication endpoint containing external URLs in redirect parameters
- Login page requests with URL-encoded external domain references in query strings
- Unusual authentication patterns followed by external redirects in access logs
- User reports of being redirected to unfamiliar sites after logging in
Detection Strategies
- Monitor web server access logs for authentication requests containing external domains in URL parameters
- Implement web application firewall (WAF) rules to detect and block redirect parameters pointing to external sites
- Review Tomcat access logs for patterns indicating redirect abuse, particularly requests with ?redirect= or similar parameters containing http:// or https:// prefixes to external domains
- Deploy URL reputation monitoring to identify redirects to known malicious domains
Monitoring Recommendations
- Enable detailed access logging in Apache Tomcat to capture full request URLs including query parameters
- Implement alerting on authentication endpoints receiving requests with external URL parameters
- Monitor for increased phishing reports from users that reference your organization's legitimate Tomcat applications
- Configure SentinelOne Singularity to monitor for suspicious redirect patterns and network connections following authentication events
How to Mitigate CVE-2023-41080
Immediate Actions Required
- Upgrade Apache Tomcat to a patched version immediately: 11.0.0-M11 or later, 10.1.13 or later, 9.0.80 or later, or 8.5.93 or later
- If immediate patching is not possible, consider disabling FORM authentication temporarily or restricting access to the ROOT web application
- Review and audit current Tomcat configurations to identify all instances using FORM authentication
- Communicate with users about the potential for phishing attacks leveraging this vulnerability
Patch Information
Apache has released security patches addressing this vulnerability. Organizations should upgrade to the following fixed versions:
- Apache Tomcat 11.0.0-M11 or later
- Apache Tomcat 10.1.13 or later
- Apache Tomcat 9.0.80 or later
- Apache Tomcat 8.5.93 or later
For detailed patch information, refer to the Apache Mailing List Thread. Debian users should consult DSA-5521 and DSA-5522 for distribution-specific patches.
Workarounds
- Deploy a reverse proxy or WAF in front of Tomcat that validates redirect URLs and blocks requests containing external domains
- Configure the Tomcat application to only accept relative URLs for post-authentication redirects
- Remove or rename the ROOT web application if it is not required for production operations
- Implement strict Content Security Policy (CSP) headers to limit redirect destinations
# Example: Configure Apache HTTP Server as reverse proxy with redirect validation
# Add to Apache httpd.conf or virtual host configuration
# Block requests with external redirect URLs in query strings
RewriteEngine On
RewriteCond %{QUERY_STRING} (redirect|url|next|return)=https?:// [NC]
RewriteRule .* - [F,L]
# Alternatively, use mod_security rules to detect open redirect attempts
SecRule ARGS "@rx https?://[^/]*[^.]*\.[a-z]{2,}" "id:1001,deny,status:403,msg:'Potential open redirect attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
