Skip to main content

CVE-2018-1304

Severity

6.8

Description

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Mitigation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue. If upgrading is not a viable option, this vulnerability can be mitigated by ensuring that all security constraints set to an empty string are instead specifically mapped to the root directory ("/").

Related links:

Project

Apache Tomcat

Apache TomEE

Category
Information Disclosure
Tags
data
operational
configuration
Date Disclosed

2018-02-28

Date Discovered

2017-12-07

Apache Tomcat 9.0.x

First release:
2018-01-18
0
Support Lifecycle:
Namespace:
javax
9.0.19.0.29.0.4

Apache TomEE 7.0.x

First release:
2016-05-17
0
Support Lifecycle:
Namespace:
javax
7.0.07.0.17.0.27.0.37.0.4

Apache TomEE 1.7.x

First release:
2014-08-09
0
Support Lifecycle:
Namespace:
javax
1.7.01.7.11.7.21.7.31.7.41.7.5

Apache TomEE 1.6.x

First release:
2013-11-17
0
Support Lifecycle:
Namespace:
javax
1.6.01.6.0.11.6.0.2

Apache TomEE 1.5.x

First release:
2012-09-28
0
Support Lifecycle:
Namespace:
javax
1.5.01.5.11.5.2

Apache TomEE 1.0.x

First release:
2012-04-27
0
Support Lifecycle:
Namespace:
javax
1.0.0
Feel Vulnerable? 

Contact us so we can help you.

* These fields are required.