Lucene search

K
cveApacheCVE-2018-1304
HistoryFeb 28, 2018 - 8:29 p.m.

CVE-2018-1304

2018-02-2820:29:00
apache
web.nvd.nist.gov
218
cve-2018-1304
apache tomcat
security vulnerability
url pattern
unauthorized access

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.7

Confidence

High

EPSS

0.003

Percentile

68.4%

The URL pattern of “” (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Affected configurations

Nvd
Vulners
Node
apachetomcatRange7.0.07.0.84
OR
apachetomcatRange8.0.08.0.49
OR
apachetomcatRange8.5.08.5.27
OR
apachetomcatRange9.0.09.0.4
OR
apachetomcatMatch8.0.0rc1
OR
apachetomcatMatch9.0.0milestone1
OR
apachetomcatMatch9.0.0milestone10
OR
apachetomcatMatch9.0.0milestone11
OR
apachetomcatMatch9.0.0milestone12
OR
apachetomcatMatch9.0.0milestone13
OR
apachetomcatMatch9.0.0milestone14
OR
apachetomcatMatch9.0.0milestone15
OR
apachetomcatMatch9.0.0milestone16
OR
apachetomcatMatch9.0.0milestone17
OR
apachetomcatMatch9.0.0milestone18
OR
apachetomcatMatch9.0.0milestone19
OR
apachetomcatMatch9.0.0milestone2
OR
apachetomcatMatch9.0.0milestone20
OR
apachetomcatMatch9.0.0milestone21
OR
apachetomcatMatch9.0.0milestone22
OR
apachetomcatMatch9.0.0milestone23
OR
apachetomcatMatch9.0.0milestone24
OR
apachetomcatMatch9.0.0milestone25
OR
apachetomcatMatch9.0.0milestone26
OR
apachetomcatMatch9.0.0milestone27
OR
apachetomcatMatch9.0.0milestone3
OR
apachetomcatMatch9.0.0milestone4
OR
apachetomcatMatch9.0.0milestone5
OR
apachetomcatMatch9.0.0milestone6
OR
apachetomcatMatch9.0.0milestone7
OR
apachetomcatMatch9.0.0milestone8
OR
apachetomcatMatch9.0.0milestone9
Node
redhatjboss_enterprise_application_platformMatch6
OR
redhatjboss_enterprise_application_platformMatch6.4
OR
redhatjboss_enterprise_web_serverMatch3.0.0
AND
redhatenterprise_linuxMatch6.0
OR
redhatenterprise_linuxMatch7.0
Node
debiandebian_linuxMatch7.0
OR
debiandebian_linuxMatch8.0
OR
debiandebian_linuxMatch9.0
Node
canonicalubuntu_linuxMatch14.04lts
OR
canonicalubuntu_linuxMatch16.04lts
OR
canonicalubuntu_linuxMatch17.10
OR
canonicalubuntu_linuxMatch18.04lts
Node
oraclefusion_middlewareMatch12.2.1.3.0
OR
oraclehospitality_guest_accessMatch4.2.0
OR
oraclehospitality_guest_accessMatch4.2.1
OR
oraclemicros_relate_crm_softwareMatch11.4
OR
oraclesecure_global_desktopMatch5.3
OR
oraclesecure_global_desktopMatch5.4
Node
redhatjboss_middlewareMatch1
VendorProductVersionCPE
apachetomcat9.0.0cpe:/a:apache:tomcat:9.0.0:milestone26::
apachetomcatcpe:/a:apache:tomcat::::
apachetomcat9.0.0cpe:/a:apache:tomcat:9.0.0:milestone20::
apachetomcat9.0.0cpe:/a:apache:tomcat:9.0.0:milestone4::
apachetomcat9.0.0cpe:/a:apache:tomcat:9.0.0:milestone19::
apachetomcat9.0.0cpe:/a:apache:tomcat:9.0.0:milestone23::
apachetomcat9.0.0cpe:/a:apache:tomcat:9.0.0:milestone11::
apachetomcat9.0.0cpe:/a:apache:tomcat:9.0.0:milestone24::
apachetomcat9.0.0cpe:/a:apache:tomcat:9.0.0:milestone9::
apachetomcat9.0.0cpe:/a:apache:tomcat:9.0.0:milestone1::
Rows per page:
1-10 of 291

CNA Affected

[
  {
    "product": "Apache Tomcat",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49, 7.0.0 to 7.0.84"
      }
    ]
  }
]

References

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.7

Confidence

High

EPSS

0.003

Percentile

68.4%