Skip to main content

CVE-2018-1305

Severity

6.8

Description

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible – depending on the order Servlets were loaded – for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Mitigation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Project

Apache Tomcat

Apache TomEE

Category
Information Disclosure
Tags
data
operational
Date Disclosed

2018-02-23

Date Discovered

2017-12-07

Apache Tomcat 9.0.x

First release:
2018-01-18
CVEs:
41
Support Lifecycle:
Namespace:
javax

Apache TomEE 7.0.x

First release:
2016-05-17
CVEs:
100
Support Lifecycle:
Namespace:
javax

Apache TomEE 1.7.x

First release:
2014-08-09
CVEs:
87
Support Lifecycle:
Namespace:
javax

Apache TomEE 1.6.x

First release:
2013-11-17
CVEs:
101
Support Lifecycle:
Namespace:
javax

Apache TomEE 1.5.x

First release:
2012-09-28
CVEs:
111
Support Lifecycle:
Namespace:
javax

Apache TomEE 1.0.x

First release:
2012-04-27
CVEs:
121
Support Lifecycle:
Namespace:
javax
Feel Vulnerable? 

Contact us so we can help you.

* These fields are required.