CVE-2018-1304
Description
The URL pattern of (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.
Risk Information
Base Score
5.9
MODERATE
Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
Exploitation Probability
1.79
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Update Tomcat to 9.5.14 | Windows |
| Update Tomcat to 9.5.5 | Windows |
| Update Tomcat to 9.5.7 | Windows |
| Update Tomcat to 9.5.8 | Windows |
| Update Tomcat to 9.6.10 | Windows |
| Update Tomcat to 9.6.3 | Windows |
| Update Tomcat to 9.6.4 | Windows |
| Update Tomcat to 9.6.7 | Windows |
| Update Tomcat to 9.6.8 | Windows |
| Update Tomcat to 2.4.5 | Windows |
| Update Tomcat to 3.0.14 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Controller 10.3.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Controller 10.3.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Controller 10.4.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Controller 10.4.1 | Windows |
| Vulnerabilities CVE-2018-1336,CVE-2018-1304 are fixed in Apache - tomcat-embed-core 8.0.51 | Windows |
| Vulnerabilities CVE-2018-1305,CVE-2018-1304 are fixed in Apache - tomcat-embed-core 8.5.28 | Windows |
| Vulnerabilities CVE-2018-1305,CVE-2018-1304 are fixed in Apache - tomcat-embed-core 9.0.5 | Windows |
| Vulnerabilities CVE-2018-1304 are fixed in Apache - tomcat-embed-core 7.0.86 | Windows |
| Vulnerabilities CVE-2018-1304,CVE-2018-1305 are affected in IBM UrbanCode Deploy 6.1.3.7 | Windows |
| Servlet and JSP engine (USN-3665-1) tomcat7_7.0.52-1ubuntu0.14_all.deb | Linux |
| Servlet and JSP engine (USN-3665-1) tomcat8_8.0.32-1ubuntu1.6_all.deb | Linux |
| Servlet and JSP engine (USN-3665-1) tomcat8_8.5.21-1ubuntu1.1_all.deb | Linux |
| Servlet and JSP engine (USN-3665-1) libtomcat8-java_8.0.32-1ubuntu1.6_all.deb | Linux |
| Servlet and JSP engine (USN-3665-1) libtomcat8-java_8.5.21-1ubuntu1.1_all.deb | Linux |
| tomcat8 security update(DSA-3974-1) tomcat8_8.5.14-1+deb9u3_all.deb | Linux |
| tomcat8 security update(DSA-4281-1) tomcat8_8.5.14-1+deb9u3_all.deb | Linux |
| SUSE-SU-2018:0817-1(SUSE Linux Enterprise Server 12-SP2 ) tomcat-8.0.50-29.8.2.noarch.rpm | Linux |
| SUSE-SU-2018:0817-1(SUSE Linux Enterprise Server 12-SP2 ) tomcat-admin-webapps-8.0.50-29.8.2.noarch.rpm | Linux |
| SUSE-SU-2018:0817-1(SUSE Linux Enterprise Server 12-SP2 ) tomcat-docs-webapp-8.0.50-29.8.2.noarch.rpm | Linux |
| SUSE-SU-2018:0817-1(SUSE Linux Enterprise Server 12-SP2 ) tomcat-el-3_0-api-8.0.50-29.8.2.noarch.rpm | Linux |
| SUSE-SU-2018:0817-1(SUSE Linux Enterprise Server 12-SP2 ) tomcat-javadoc-8.0.50-29.8.2.noarch.rpm | Linux |
| SUSE-SU-2018:0817-1(SUSE Linux Enterprise Server 12-SP2 ) tomcat-jsp-2_3-api-8.0.50-29.8.2.noarch.rpm | Linux |
| SUSE-SU-2018:0817-1(SUSE Linux Enterprise Server 12-SP2 ) tomcat-lib-8.0.50-29.8.2.noarch.rpm | Linux |
| SUSE-SU-2018:0817-1(SUSE Linux Enterprise Server 12-SP2 ) tomcat-servlet-3_1-api-8.0.50-29.8.2.noarch.rpm | Linux |
| SUSE-SU-2018:0817-1(SUSE Linux Enterprise Server 12-SP2 ) tomcat-webapps-8.0.50-29.8.2.noarch.rpm | Linux |
| SUSE-SU-2018:1847-1(SUSE Linux Enterprise Server 11-SP4 ) tomcat6-6.0.53-0.57.7.1.noarch.rpm | Linux |
| SUSE-SU-2018:1847-1(SUSE Linux Enterprise Server 11-SP4 ) tomcat6-admin-webapps-6.0.53-0.57.7.1.noarch.rpm | Linux |
| SUSE-SU-2018:1847-1(SUSE Linux Enterprise Server 11-SP4 ) tomcat6-docs-webapp-6.0.53-0.57.7.1.noarch.rpm | Linux |
| SUSE-SU-2018:1847-1(SUSE Linux Enterprise Server 11-SP4 ) tomcat6-javadoc-6.0.53-0.57.7.1.noarch.rpm | Linux |
| SUSE-SU-2018:1847-1(SUSE Linux Enterprise Server 11-SP4 ) tomcat6-jsp-2_1-api-6.0.53-0.57.7.1.noarch.rpm | Linux |
| SUSE-SU-2018:1847-1(SUSE Linux Enterprise Server 11-SP4 ) tomcat6-lib-6.0.53-0.57.7.1.noarch.rpm | Linux |
| SUSE-SU-2018:1847-1(SUSE Linux Enterprise Server 11-SP4 ) tomcat6-servlet-2_5-api-6.0.53-0.57.7.1.noarch.rpm | Linux |
| SUSE-SU-2018:1847-1(SUSE Linux Enterprise Server 11-SP4 ) tomcat6-webapps-6.0.53-0.57.7.1.noarch.rpm | Linux |
| Update Tomcat to 9.5.14 (For Linux) | Linux |
| Update Tomcat to 9.5.5 (For Linux) | Linux |
| Update Tomcat to 9.5.7 (For Linux) | Linux |
| Update Tomcat to 9.5.8 (For Linux) | Linux |
| Update Tomcat to 9.6.10 (For Linux) | Linux |
| Update Tomcat to 9.6.3 (For Linux) | Linux |
| Update Tomcat to 9.6.4 (For Linux) | Linux |
| Update Tomcat to 9.6.7 (For Linux) | Linux |
| Update Tomcat to 9.6.8 (For Linux) | Linux |
| Update Tomcat to 2.4.5 (For Linux) | Linux |
| Update Tomcat to 3.0.14 (For Linux) | Linux |
| Vulnerabilities CVE-2018-1336,CVE-2018-1304 are fixed in Apache - tomcat-embed-core for Linux 8.0.51 | Linux |
| Vulnerabilities CVE-2018-1305,CVE-2018-1304 are fixed in Apache - tomcat-embed-core for Linux 8.5.28 | Linux |
| Vulnerabilities CVE-2018-1305,CVE-2018-1304 are fixed in Apache - tomcat-embed-core for Linux 9.0.5 | Linux |
| Vulnerabilities CVE-2018-1304 are fixed in Apache - tomcat-embed-core for Linux 7.0.86 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234