CVE-2018-1304

State: PUBLISHED · Published: 2018-02-28 · Updated: 2024-09-17 · Assigner: apache

Description

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

CWE

(none)

Affected

Apache Software Foundation / Apache Tomcat — v=Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49, 7.0.0 to 7.0.84 [affected]

CVSS

(none)

References

https://access.redhat.com/errata/RHSA-2018:1448 vendor-advisory, x_refsource_REDHAT
https://security.netapp.com/advisory/ntap-20180706-0001/ x_refsource_CONFIRM
http://www.securityfocus.com/bid/103170 vdb-entry, x_refsource_BID
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2018:1449 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:1450 vendor-advisory, x_refsource_REDHAT
https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb%40%3Cannounce.tomcat.apache.org%3E x_refsource_MISC
https://www.debian.org/security/2018/dsa-4281 vendor-advisory, x_refsource_DEBIAN
https://access.redhat.com/errata/RHSA-2018:2939 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:0465 vendor-advisory, x_refsource_REDHAT
https://usn.ubuntu.com/3665-1/ vendor-advisory, x_refsource_UBUNTU
http://www.securitytracker.com/id/1040427 vdb-entry, x_refsource_SECTRACK
https://access.redhat.com/errata/RHSA-2018:1320 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:1451 vendor-advisory, x_refsource_REDHAT
https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html mailing-list, x_refsource_MLIST
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html x_refsource_CONFIRM
https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html mailing-list, x_refsource_MLIST
https://access.redhat.com/errata/RHSA-2018:0466 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:1447 vendor-advisory, x_refsource_REDHAT
https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html x_refsource_MISC
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html x_refsource_MISC
https://access.redhat.com/errata/RHSA-2019:2205 vendor-advisory, x_refsource_REDHAT
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://www.oracle.com/security-alerts/cpuapr2020.html x_refsource_MISC

Source

cvelistV5-main/cves/2018/1xxx/CVE-2018-1304.json