CVE-2018-1304

Description

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

How to fix CVE-2018-1304

To remediate CVE-2018-1304, upgrade the affected package to a fixed version below.

• —upgrade to 7.0.28-4+deb7u18 or later
• —upgrade to 8.0.14-1+deb8u12 or later
• —upgrade to 8.5.14-1+deb9u3 or later
• —upgrade to 9.0.5 or later

Is CVE-2018-1304 being exploited?

Low — EPSS is 3.0%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 7.0.28-4+deb7u18
• from 0, < 8.0.14-1+deb8u12
• from 0, < 8.5.14-1+deb9u3
• >= 9.0.0, < 9.0.5

CVSS scores

References (64)

• ADVISORYgithub.com/advisories/GHSA-6rxj-58jh-436r
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1304
• PATCHgithub.com/apache/tomcat
• WEBaccess.redhat.com/errata/RHSA-2018:0465
• WEBaccess.redhat.com