Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2018-1304

Опубликовано: 31 янв. 2018
Источник: redhat
CVSS3: 6.5
EPSS Низкий

Описание

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 5tomcat5Not affected
Red Hat Enterprise Linux 6tomcat6Not affected
Red Hat Enterprise Linux 8pki-deps:10.6/pki-servlet-containerNot affected
Red Hat JBoss Data Grid 6jbosswebWill not fix
Red Hat JBoss Data Virtualization 6jbosswebNot affected
Red Hat JBoss Enterprise Web Server 2tomcat6Not affected
Red Hat JBoss Enterprise Web Server 2tomcat7Will not fix
Red Hat JBoss Fuse 6jbosswebNot affected
Red Hat JBoss Fuse 6karafNot affected
Red Hat JBoss Fuse Integration Service 2tomcat8Affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-284
https://bugzilla.redhat.com/show_bug.cgi?id=1548289tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources

EPSS

Процентиль: 82%
0.01722
Низкий

6.5 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2018-1304

CVSS3: 5.9
ubuntu
больше 7 лет назад

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

nvd логотип

CVE-2018-1304

CVSS3: 5.9
nvd
больше 7 лет назад

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

debian логотип

CVE-2018-1304

CVSS3: 5.9
debian
больше 7 лет назад

The URL pattern of "" (the empty string) which exactly maps to the con ...

github логотип

GHSA-6rxj-58jh-436r

CVSS3: 5.9
github
больше 6 лет назад

Apache Tomcat unauthorized access vulnerability

fstec логотип

BDU:2019-01759

CVSS3: 5.9
fstec
больше 7 лет назад

Уязвимость сервера приложений Apache Tomcat, связанная с ошибками в настройках безопасности, позволяющая нарушителю получить доступ к ресурсам веб-приложений

EPSS

Процентиль: 82%
0.01722
Низкий

6.5 Medium

CVSS3