CVE-2018-1304 — MEDIUM (5.9)

Q: How severe is CVE-2018-1304?

CVE-2018-1304 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-1304?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Redhat Jboss Enterprise Application Platform, Redhat Jboss Enterprise Web Server, Redhat Enterprise Linux, Debian Debian Linux.

Vulnerability Description

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

CVSS Score

5.9

MEDIUM

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Tomcat	>= 7.0.0, <= 7.0.84
Redhat	Jboss Enterprise Application Platform	6
Redhat	Jboss Enterprise Web Server	3.0.0
Redhat	Enterprise Linux	6.0
Debian	Debian Linux	7.0
Canonical	Ubuntu Linux	14.04
Oracle	Fusion Middleware	12.2.1.3.0
Oracle	Hospitality Guest Access	4.2.0
Oracle	Micros Relate Crm Software	11.4
Oracle	Secure Global Desktop	5.3
Redhat	Jboss Middleware	1

References

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlPatchThird Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatchThird Party Advisory
http://www.securityfocus.com/bid/103170Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1040427Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:0465Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0466Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1320Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1447Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1448Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1449Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1450Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1451Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2939Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2205
https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55a

FAQ

What is CVE-2018-1304?

CVE-2018-1304 is a vulnerability with a CVSS score of 5.9 (MEDIUM). The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 w...

How severe is CVE-2018-1304?

CVE-2018-1304 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-1304?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Redhat Jboss Enterprise Application Platform, Redhat Jboss Enterprise Web Server, Redhat Enterprise Linux, Debian Debian Linux.