CVE-2018-1305
Severity
6.5MEDIUM
EPSS
21.6%
top 4.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedFeb 23
Latest updateOct 17
Description
Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6
Affected Packages8 packages
▶CVEListV5apache_software_foundation/apache_tomcatApache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49, 7.0.0 to 7.0.84
Also affects: Debian Linux 7.0, 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 17.10, 18.04
Patches
🔴Vulnerability Details
4💥Exploits & PoCs
1Exploit-DB
▶
📋Vendor Advisories
4💬Community
5Bugzilla▶
CVE-2018-1305 tomcat: Late application of security constraints can lead to resource exposure for unauthorised users [fedora-all]↗2018-02-28
Bugzilla▶
CVE-2018-1305 tomcat: Late application of security constraints can lead to resource exposure for unauthorised users [epel-all]↗2018-02-28
Bugzilla▶
CVE-2018-1305 tomcat: Late application of security constraints can lead to resource exposure for unauthorised users [fedora-all]↗2018-02-23
Bugzilla▶
CVE-2018-1305 tomcat: Late application of security constraints can lead to resource exposure for unauthorised users [epel-all]↗2018-02-23
Bugzilla▶
CVE-2018-1305 tomcat: Late application of security constraints can lead to resource exposure for unauthorised users↗2018-02-23