CVE-2018-1304

CWE-284 — Improper Access Control14 documents9 sources

Severity

5.9MEDIUM

EPSS

2.1%

top 16.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat Apache Software Foundation Apache Tomcat Canonical Ubuntu Linux +8 more

Timeline

PublishedFeb 28

Latest updateOct 17

Description

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affect…

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages12 packages

▶Mavenorg.apache.tomcat.embed:tomcat-embed-core9.0.0 — 9.0.5+3

▶NVDapache/tomcat7.0.0 — 7.0.84+5

▶CVEListV5apache_software_foundation/apache_tomcatApache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49, 7.0.0 to 7.0.84

▶Ubuntutomcat7< 7.0.52-1ubuntu0.14

▶Ubuntutomcat8< 8.0.32-1ubuntu1.6

Also affects: Debian Linux 7.0, 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 17.10, 18.04

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: security.netapp.com ↗

🔴Vulnerability Details

OSV

Apache Tomcat unauthorized access vulnerability↗2018-10-17

▶

GHSA

Apache Tomcat unauthorized access vulnerability↗2018-10-17

▶

CVEList

CVE-2018-1304: The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9↗2018-02-28

▶

OSV

CVE-2018-1304: The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9↗2018-02-28

▶

📋Vendor Advisories

Ubuntu

Tomcat vulnerabilities↗2018-05-30

▶

Red Hat

tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources↗2018-01-31

▶

Debian

CVE-2018-1304: tomcat9 - The URL pattern of "" (the empty string) which exactly maps to the context root ...↗2018

▶

Apache

Apache tomcat: CVE-2018-1304↗

▶

💬Community

Bugzilla

CVE-2018-1304 tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources [fedora-all]↗2018-02-28

▶

Bugzilla

CVE-2018-1304 tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources [epel-all]↗2018-02-28

▶

Bugzilla

CVE-2018-1304 tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources [epel-all]↗2018-02-23

▶

Bugzilla

CVE-2018-1304 tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources↗2018-02-23

▶

Bugzilla

CVE-2018-1304 tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources [fedora-all]↗2018-02-23

▶