Home > Vulnerability Database > CVE-2018-1304

Mend.io Vulnerability Database

CVE-2018-1304

Good to know:

Date: February 28, 2018

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Language: Java

Severity Score

5.9

Related Resources (45)

Url: https://www.oracle.com/security-alerts/cpuapr2020.html

Url: https://access.redhat.com/errata/RHSA-2018:1448

Url: https://usn.ubuntu.com/3665-1/

Url: https://access.redhat.com/errata/RHSA-2019:2205

Url: https://access.redhat.com/errata/RHSA-2018:1449

Url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Url: https://access.redhat.com/errata/RHSA-2018:1447

Url: https://security-tracker.debian.org/tracker/CVE-2018-1304

Url: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Url: http://www.securityfocus.com/bid/103170

Url: https://access.redhat.com/errata/RHSA-2018:2939

Url: https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E

Url: http://www.securitytracker.com/id/1040427

Url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E

Url: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E

Url: https://www.debian.org/security/2018/dsa-4281

Url: https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2018:0466

Url: https://access.redhat.com/errata/RHSA-2018:0465

Url: https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2018:1451

Url: https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html

Url: https://access.redhat.com/errata/RHSA-2018:1450

Url: http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Url: https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html

Url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2018-1304

Url: https://nvd.nist.gov/vuln/detail/CVE-2018-1304

Url: https://access.redhat.com/security/cve/CVE-2018-1304

Url: https://security.netapp.com/advisory/ntap-20180706-0001/

Url: https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb%40%3Cannounce.tomcat.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2018:1320

Url: https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html

Url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E

Url: https://www.mend.io/vulnerability-database/CVE-2018-1304

Severity Score

5.9

Weakness Type (CWE)

Security Features

CWE-254

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version 9.0.5,8.5.28,8.0.50,7.0.85

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2018-1304

Good to know:

Date: February 28, 2018

Language: Java

Severity Score

Related Resources (45)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?