Lucene search

K
ubuntucveUbuntu.comUB:CVE-2018-1304
HistoryFeb 28, 2018 - 12:00 a.m.

CVE-2018-1304

2018-02-2800:00:00
ubuntu.com
ubuntu.com
13

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.003

Percentile

68.4%

The URL pattern of “” (the empty string) which exactly maps to the context
root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to
8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a
security constraint definition. This caused the constraint to be ignored.
It was, therefore, possible for unauthorised users to gain access to web
application resources that should have been protected. Only security
constraints with a URL pattern of the empty string were affected.

Bugs

OSVersionArchitecturePackageVersionFilename
ubuntu14.04noarchtomcat7< 7.0.52-1ubuntu0.14UNKNOWN
ubuntu16.04noarchtomcat7< anyUNKNOWN
ubuntu17.10noarchtomcat8< 8.5.21-1ubuntu1.1UNKNOWN
ubuntu16.04noarchtomcat8< 8.0.32-1ubuntu1.6UNKNOWN

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.003

Percentile

68.4%