CVE-2018-1304

Description

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

5.9

CVSS

Severity: Medium

CVSS 3.0 •

CVSS 2.0 •

EPSS 1.72% Top 20%

Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory debian.org Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory ubuntu.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com

Affected: Apache Software Foundation Apache Tomcat

References

Link	Tags
https://access.redhat.com/errata/RHSA-2018:1448	third party advisory vendor advisory
https://security.netapp.com/advisory/ntap-20180706-0001/	third party advisory patch
http://www.securityfocus.com/bid/103170	third party advisory vdb entry
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	third party advisory patch
https://access.redhat.com/errata/RHSA-2018:1449	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2018:1450	third party advisory vendor advisory
https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb%40%3Cannounce.tomcat.apache.org%3E
https://www.debian.org/security/2018/dsa-4281	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2018:2939	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2018:0465	third party advisory vendor advisory
https://usn.ubuntu.com/3665-1/	third party advisory vendor advisory
http://www.securitytracker.com/id/1040427	third party advisory vdb entry
https://access.redhat.com/errata/RHSA-2018:1320	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2018:1451	third party advisory vendor advisory
https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html	mailing list third party advisory issue tracking
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html	third party advisory patch
https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html	third party advisory mailing list
https://access.redhat.com/errata/RHSA-2018:0466	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2018:1447	third party advisory vendor advisory
https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html	third party advisory mailing list
https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E	mailing list
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E	mailing list
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E	mailing list
https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E	mailing list
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E	mailing list
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E	mailing list
https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E	mailing list
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E	mailing list
https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E	mailing list
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E	mailing list
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E	mailing list
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	third party advisory patch
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://access.redhat.com/errata/RHSA-2019:2205	vendor advisory
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E	mailing list
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E	mailing list
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E	mailing list
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E	mailing list
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E	mailing list
https://www.oracle.com/security-alerts/cpuapr2020.html

Frequently Asked Questions

What is the severity of CVE-2018-1304?: CVE-2018-1304 has been scored as a medium severity vulnerability.
How to fix CVE-2018-1304?: To fix CVE-2018-1304, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2018-1304 being actively exploited in the wild?: It is possible that CVE-2018-1304 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~2% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2018-1304?: CVE-2018-1304 affects Apache Software Foundation Apache Tomcat.