Skip to main content

CVE-2018-1305

Severity

6.8

Description

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible – depending on the order Servlets were loaded – for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Mitigation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Related links:

Project

Apache Tomcat

Apache TomEE

Category
Information Disclosure
Tags
data
operational
Date Disclosed

2018-02-23

Date Discovered

2017-12-07

Apache Tomcat 9.0.x

First release:
2018-01-18
CVEs:
49
Support Lifecycle:
Namespace:
javax
9.0.19.0.29.0.4

Apache TomEE 7.0.x

First release:
2016-05-17
CVEs:
111
Support Lifecycle:
Namespace:
javax
7.0.07.0.17.0.27.0.37.0.4

Apache TomEE 1.7.x

First release:
2014-08-09
CVEs:
95
Support Lifecycle:
Namespace:
javax
1.7.01.7.11.7.21.7.31.7.41.7.5

Apache TomEE 1.6.x

First release:
2013-11-17
CVEs:
108
Support Lifecycle:
Namespace:
javax
1.6.01.6.0.11.6.0.2

Apache TomEE 1.5.x

First release:
2012-09-28
CVEs:
119
Support Lifecycle:
Namespace:
javax
1.5.01.5.11.5.2

Apache TomEE 1.0.x

First release:
2012-04-27
CVEs:
130
Support Lifecycle:
Namespace:
javax
1.0.0
Feel Vulnerable? 

Contact us so we can help you.

* These fields are required.