QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2018-1304

Back to search

CVE-2018-1304

Published: Feb 28, 2018

Modified: Sep 17, 2024

PUBLISHED

Description

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

VendorProductVersions

Apache Software Foundation

Apache Tomcat

affected
Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49, 7.0.0 to 7.0.84

References

RHSA-2018:1448
vendor-advisory
x_refsource_REDHAT
103170
vdb-entry
x_refsource_BID
RHSA-2018:1449
vendor-advisory
x_refsource_REDHAT
RHSA-2018:1450
vendor-advisory
x_refsource_REDHAT
DSA-4281
vendor-advisory
x_refsource_DEBIAN
RHSA-2018:2939
vendor-advisory
x_refsource_REDHAT
RHSA-2018:0465
vendor-advisory
x_refsource_REDHAT
USN-3665-1
vendor-advisory
x_refsource_UBUNTU
1040427
vdb-entry
x_refsource_SECTRACK
RHSA-2018:1320
vendor-advisory
x_refsource_REDHAT
RHSA-2018:1451
vendor-advisory
x_refsource_REDHAT
RHSA-2018:0466
vendor-advisory
x_refsource_REDHAT
RHSA-2018:1447
vendor-advisory
x_refsource_REDHAT
RHSA-2019:2205
vendor-advisory
x_refsource_REDHAT

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now