We have identified a VAPT issue in our Oracle APEX application deployed on ORDS 24.1.11 running on Apache Tomcat 9.0.11.
Observed behavior: When the application URL host is replaced with another value, the application redirects using that modified host instead of keeping the redirect restricted to the approved domain. For example, if the original host is replaced, the response follows the changed host value. For example, when the application is accessed using sdcoradb5.com:8083, and the host value is replaced with bing.com, the application redirects using the modified host value instead of the approved application domain. This indicates that the request host may be getting trusted in the Tomcat layer, which can lead to a host header injection or unvalidated redirect issue. Oracle support has advised that this needs to be checked at the Tomcat layer, so we are requesting your help to review the configuration and identify the root cause. Expected behavior: The application should only redirect to the approved application domain and should ignore or reject unexpected host values. Please investigate and suggest the required configuration or remediation steps.
