Fixed in Apache Tomcat 7.0.85

Important: Security constraint annotations applied too late CVE-2018-1305 Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was...

Fixed in Apache Tomcat 8.0.50

Important: Security constraint annotations applied too late CVE-2018-1305 Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was...

Fixed in Apache Tomcat 9.0.5

Important: Security constraint annotations applied too late CVE-2018-1305 Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was...

PT-2018-2767 · Apache +5 · Apache Tomcat +5

Name of the Vulnerable Software and Affected Versions: Apache Tomcat versions 9.0.0.M1 through 9.0.4 Apache Tomcat versions 8.5.0 through 8.5.27 Apache Tomcat versions 8.0.0.RC1 through 8.0.49 Apache Tomcat versions 7.0.0 through 7.0.84 Description: The issue arises from the incorrect handling of...

CVE-2016-5007

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space...

Authorization

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space...

CVE-2016-5007

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space...

CVE-2016-5007

CVE-2016-5007 affects Spring Security (3.2.x, 4.0.x, 4.1.0) and Spring Framework (3.2.x, 4.0.x, 4.1.x, 4.2.x). The root cause is differences in URL pattern matching/space trimming that can cause some paths to be treated as protected when they should not be, due to varying pattern matching between...

CVE-2016-5007

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space...

CVE-2016-5007

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space...

Drupal Monster Menus Module Information Disclosure Vulnerability

Drupal is an open source content management framework written in PHP, which consists of a content management system and a PHP development framework. Monster Menus module for Drupal is a module for developing Drupal 6 and Drupal 7 versions of Drupal. An information disclosure vulnerability exists ...

CVE-2014-3170

extensions/common/urlpattern.cc in Google Chrome before 37.0.2062.94 does not prevent use of a '\0' character in a host name, which allows remote attackers to spoof the extension permission dialog by relying on truncation after this character...

DSA-1645-1 lighttpd - various problems

Bulletin has no description...

CVE-2004-0711

The URL pattern matching feature in BEA WebLogic Server 6.x matches illegal patterns ending in "" as wildcards as if they were the legal "/" pattern, which could cause WebLogic 7.x to allow remote attackers to bypass intended access restrictions because the illegal patterns are properly rejected...

CVE-2004-0711

The CVE describes a flaw in BEA WebLogic Server 6.x URL pattern matching where illegal patterns ending in “” are treated as the legal “/ ” wildcard. This could allow WebLogic 7.x to bypass access restrictions because these illegal patterns are (purportedly) rejected but effectively treated as all...

CVE-2004-0711

The URL pattern matching feature in BEA WebLogic Server 6.x matches illegal patterns ending in "" as wildcards as if they were the legal "/" pattern, which could cause WebLogic 7.x to allow remote attackers to bypass intended access restrictions because the illegal patterns are properly rejected...

Spam-protection

We need something like MT-Blacklist: the ability to define URL patterns that flag a page and/or comment as spam. It shouldn't be too hard to do - we already track URL links. The UI will need some thought though what do you do if you define a URL as spam, and it's in a page? Revert the page back t...

BEA WebLogic Server contains a vulnerability in the URL pattern matching

Overview There is a vulnerability in the URL pattern matching functionality of BEA WebLogic Server that could allow URL restrictions to be bypassed. Description BEA Systems describes WebLogic Server as "an industrial-strength application infrastructure for developing, integrating, securing, and...

Corsaire Security Advisory - Symantec Enterprise Firewall (SEF) H TTP URL pattern evasion issue

-- Corsaire Security Advisory -- Title: Symantec Enterprise Firewall SEF HTTP URL pattern evasion issue Date: 24.02.03 Application: Symantec Enterprise Firewall SEF 7.0 Environment: Windows NT 4.0, Windows 2000, Author: Martin O'Neal [email protected] Audience: General Distribution -- Sco...