CVE-2018-1304

Current Description

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Basic Data

PublishedFebruary 28, 2018
Last ModifiedOctober 03, 2019
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeNVD-CWE-noinfo
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score4.3
SeverityMEDIUM
Exploitability Score8.6
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

CVSS 3 - Version3.0
CVSS 3 - Vector StringCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 3 - Attack VectorNETWORK
CVSS 3 - Attack ComplexityHIGH
CVSS 3 - Privileges RequiredNONE
CVSS 3 - User InteractionNONE
CVSS 3 - ScopeUNCHANGED
CVSS 3 - Confidentiality ImpactHIGH
CVSS 3 - Integrity ImpactNONE
CVSS 3 - Availability ImpactNONE
CVSS 3 - Base Score5.9
CVSS 3 - Base SeverityMEDIUM
Exploitability Score2.2
Base SeverityMEDIUM

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationApacheTomcat********7.0.07.0.84
    2.3ApplicationApacheTomcat********8.0.08.0.49
    2.3ApplicationApacheTomcat8.0.0rc1******
    2.3ApplicationApacheTomcat********8.5.08.5.27
    2.3ApplicationApacheTomcat********9.0.09.0.4
    2.3ApplicationApacheTomcat9.0.0m1******
    2.3ApplicationApacheTomcat9.0.0m10******
    2.3ApplicationApacheTomcat9.0.0m11******
    2.3ApplicationApacheTomcat9.0.0m12******
    2.3ApplicationApacheTomcat9.0.0m13******
    2.3ApplicationApacheTomcat9.0.0m14******
    2.3ApplicationApacheTomcat9.0.0m15******
    2.3ApplicationApacheTomcat9.0.0m16******
    2.3ApplicationApacheTomcat9.0.0m17******
    2.3ApplicationApacheTomcat9.0.0m18******
    2.3ApplicationApacheTomcat9.0.0m19******
    2.3ApplicationApacheTomcat9.0.0m2******
    2.3ApplicationApacheTomcat9.0.0m20******
    2.3ApplicationApacheTomcat9.0.0m21******
    2.3ApplicationApacheTomcat9.0.0m22******
    2.3ApplicationApacheTomcat9.0.0m23******
    2.3ApplicationApacheTomcat9.0.0m24******
    2.3ApplicationApacheTomcat9.0.0m25******
    2.3ApplicationApacheTomcat9.0.0m26******
    2.3ApplicationApacheTomcat9.0.0m27******
    2.3ApplicationApacheTomcat9.0.0m3******
    2.3ApplicationApacheTomcat9.0.0m4******
    2.3ApplicationApacheTomcat9.0.0m5******
    2.3ApplicationApacheTomcat9.0.0m6******
    2.3ApplicationApacheTomcat9.0.0m7******
    2.3ApplicationApacheTomcat9.0.0m8******
    2.3ApplicationApacheTomcat9.0.0m9******
  • AND
    • OR - Configuration 2
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3ApplicationRedhatJboss Enterprise Application Platform6*******
      2.3ApplicationRedhatJboss Enterprise Application Platform6.4*******
      2.3ApplicationRedhatJboss Enterprise Web Server3.0.0*******
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3OSRedhatEnterprise Linux6.0*******
      2.3OSRedhatEnterprise Linux7.0*******
  • OR - Configuration 3
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSDebianDebian Linux7.0*******
    2.3OSDebianDebian Linux8.0*******
    2.3OSDebianDebian Linux9.0*******
  • OR - Configuration 4
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSCanonicalUbuntu Linux14.04***lts***
    2.3OSCanonicalUbuntu Linux16.04***lts***
    2.3OSCanonicalUbuntu Linux17.10*******
    2.3OSCanonicalUbuntu Linux18.04***lts***
  • OR - Configuration 5
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationOracleFusion Middleware12.2.1.3.0*******
    2.3ApplicationOracleHospitality Guest Access4.2.0*******
    2.3ApplicationOracleHospitality Guest Access4.2.1*******
    2.3ApplicationOracleMicros Relate Crm Software11.4*******
    2.3ApplicationOracleSecure Global Desktop5.3*******
    2.3ApplicationOracleSecure Global Desktop5.4*******
  • OR - Configuration 6
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationRedhatJboss Middleware1*******

Vulnerable Software List

VendorProductVersions
Debian Debian Linux 7.0, 8.0, 9.0
Apache Tomcat *, 8.0.0, 9.0.0
Redhat Jboss Enterprise Application Platform 6, 6.4
Redhat Jboss Enterprise Web Server 3.0.0
Redhat Jboss Middleware 1
Canonical Ubuntu Linux 14.04, 16.04, 17.10, 18.04
Oracle Fusion Middleware 12.2.1.3.0
Oracle Micros Relate Crm Software 11.4
Oracle Secure Global Desktop 5.3, 5.4
Oracle Hospitality Guest Access 4.2.0, 4.2.1

References

NameSourceURLTags
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlCONFIRMPatch Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlCONFIRMPatch Third Party Advisory
103170http://www.securityfocus.com/bid/103170BIDThird Party Advisory VDB Entry
1040427http://www.securitytracker.com/id/1040427SECTRACKThird Party Advisory VDB Entry
RHSA-2018:0465https://access.redhat.com/errata/RHSA-2018:0465REDHATThird Party Advisory
RHSA-2018:0466https://access.redhat.com/errata/RHSA-2018:0466REDHATThird Party Advisory
RHSA-2018:1320https://access.redhat.com/errata/RHSA-2018:1320REDHATThird Party Advisory
RHSA-2018:1447https://access.redhat.com/errata/RHSA-2018:1447REDHATThird Party Advisory
RHSA-2018:1448https://access.redhat.com/errata/RHSA-2018:1448REDHATThird Party Advisory
RHSA-2018:1449https://access.redhat.com/errata/RHSA-2018:1449REDHATThird Party Advisory
RHSA-2018:1450https://access.redhat.com/errata/RHSA-2018:1450REDHATThird Party Advisory
RHSA-2018:1451https://access.redhat.com/errata/RHSA-2018:1451REDHATThird Party Advisory
RHSA-2018:2939https://access.redhat.com/errata/RHSA-2018:2939REDHATThird Party Advisory
RHSA-2019:2205https://access.redhat.com/errata/RHSA-2019:2205REDHAT
[tomcat-dev] 20190415 svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3CdevMLISTMailing List Third Party Advisory
[tomcat-dev] 20190319 svn commit: r1855831 [25/30] - in /tomcat/site/trunk: ./ docs/ xdocs/https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3CdevMLISTMailing List Vendor Advisory
[tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3CdevMLISTMailing List Vendor Advisory
[tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3CdevMLISTMailing List Third Party Advisory
[tomcat-dev] 20190325 svn commit: r1856174 [23/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3CdevMLISTMailing List Vendor Advisory
[tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3CdevMLISTMailing List Third Party Advisory
[tomcat-dev] 20190413 svn commit: r1857494 [16/20] - in /tomcat/site/trunk: ./ docs/ xdocs/https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3CdevMLISTMailing List Third Party Advisory
[tomcat-dev] 20190413 svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3CdevMLISTMailing List Third Party Advisory
https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb@%3Cannounce.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb@%3CannMISCMailing List Vendor Advisory
[tomcat-dev] 20190325 svn commit: r1856174 [24/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3CdevMLISTMailing List Vendor Advisory
[tomcat-dev] 20190413 svn commit: r1857496 [3/4] - in /tomcat/site/trunk: ./ docs/ xdocs/https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3CdevMLISTMailing List Third Party Advisory
[tomcat-dev] 20190319 svn commit: r1855831 [24/30] - in /tomcat/site/trunk: ./ docs/ xdocs/https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3CdevMLISTMailing List Vendor Advisory
[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3CdeMLIST
[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3CdeMLIST
[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3CdeMLIST
[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3CdeMLIST
[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3CdeMLIST
[debian-lts-announce] 20180306 [SECURITY] [DLA 1301-1] tomcat7 security updatehttps://lists.debian.org/debian-lts-announce/2018/03/msg00004.htmlMLISTIssue Tracking Third Party Advisory
[debian-lts-announce] 20180627 [SECURITY] [DLA 1400-1] tomcat7 security updatehttps://lists.debian.org/debian-lts-announce/2018/06/msg00008.htmlMLISTMailing List Third Party Advisory
[debian-lts-announce] 20180729 [SECURITY] [DLA 1450-1] tomcat8 security updatehttps://lists.debian.org/debian-lts-announce/2018/07/msg00044.htmlMLISTMailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20180706-0001/https://security.netapp.com/advisory/ntap-20180706-0001/CONFIRMPatch Third Party Advisory
USN-3665-1https://usn.ubuntu.com/3665-1/UBUNTUThird Party Advisory
DSA-4281https://www.debian.org/security/2018/dsa-4281DEBIANThird Party Advisory
N/Ahttps://www.oracle.com/security-alerts/cpuapr2020.htmlN/A
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlMISCPatch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlMISC