CVE-2018-1305

MEDIUMMonitor

Published:Feb 23, 2018(8 years ago)

Modified:Nov 21, 2024

Remote ExploitNo InteractionLow Complexity

Vulnerability Description

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Attack Characteristics

Network AccessLow ComplexityLow PrivilegesNo User Interaction

🤖

AI analysis not yet available

Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.

No Fix Known

No patch has been released yet. Apply workarounds or mitigations where available.

Affected Software

Vendor	Product	Versions	Fixed In
apache	tomcat	7.0.0 - 7.0.84	-
apache	tomcat	8.0.0 - 8.0.49	-
apache	tomcat	-

Timeline

Published
CVE disclosed publicly
Feb 23, 20188 years ago
Last Modified
Most recent update
Nov 21, 20241 year ago
Indexed to CVEInsight
Added to this platform
Mar 29, 20261 month ago

References

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247...Patch
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296...Patch
http://www.securityfocus.com/bid/103144Third Party Advisory

CVSS Score

v3.1

6.5/ 10.0

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

At a Glance

Affected Products

References

apache / tomcat

http://www.securitytracker.com/id/1040428Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:0465Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:0466Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:1320Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:2939Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2205

https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad226...

https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c112...

https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fb...

https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160b...

https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a7...

https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb...

https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c...

https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570cc...

https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63d...

https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fd...

https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8...

https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3...

https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c587369...

https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297...

https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09...

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c...

https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b3...

https://lists.debian.org/debian-lts-announce/2018/03/msg00004.htmlMailing List

https://lists.debian.org/debian-lts-announce/2018/06/msg00008.htmlMailing List

https://lists.debian.org/debian-lts-announce/2018/07/msg00044.htmlMailing List

https://security.netapp.com/advisory/ntap-20180706-0001/Third Party Advisory

https://usn.ubuntu.com/3665-1/Third Party Advisory

https://www.debian.org/security/2018/dsa-4281Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-507281...Patch

https://www.oracle.com/technetwork/security-advisory/cpujul2019-507283...

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247...Patch

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296...Patch

http://www.securityfocus.com/bid/103144Third Party Advisory