CVE-2018-1304
moderate-risk
Published 2018-02-28
The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.
Do I need to act?
~
2.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10
Medium
NETWORK
/ HIGH complexity
Affected Products (20)
References (80)
Third Party Advisory
http://www.securityfocus.com/bid/103170
Third Party Advisory
http://www.securitytracker.com/id/1040427
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0465
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0466
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1320
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1447
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1448
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1449
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1450
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1451
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2939
and 60 more references
48
/ 100
moderate-risk
Severity
18/34 · Moderate
Exploitability
5/34 · Minimal
Exposure
25/34 · High