Home

CVE-2018-1305

Description

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Risk Information

Base Score
6.5
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score
Exploitation Probability
19.266

Associated Vulnerability

VulnerabilityOS Platform
Update Tomcat to 9.5.14Windows
Update Tomcat to 9.5.5Windows
Update Tomcat to 9.5.7Windows
Update Tomcat to 9.5.8Windows
Update Tomcat to 9.6.10Windows
Update Tomcat to 9.6.3Windows
Update Tomcat to 9.6.4Windows
Update Tomcat to 9.6.7Windows
Update Tomcat to 9.6.8Windows
Update Tomcat to 2.4.5Windows
Update Tomcat to 3.0.14Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.3.0Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.3.1Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.4.0Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 10.4.1Windows
Vulnerabilities CVE-2018-1305,CVE-2018-1304 are fixed in Apache - tomcat-embed-core 8.5.28Windows
Vulnerabilities CVE-2018-1305 are fixed in Apache - tomcat-embed-core 7.0.85Windows
Vulnerabilities CVE-2018-1305,CVE-2018-1304 are fixed in Apache - tomcat-embed-core 9.0.5Windows
Vulnerabilities CVE-2018-1304,CVE-2018-1305 are affected in IBM UrbanCode Deploy 6.1.3.7Windows
Servlet and JSP engine (USN-3665-1) tomcat7_7.0.52-1ubuntu0.14_all.debLinux
Servlet and JSP engine (USN-3665-1) tomcat8_8.0.32-1ubuntu1.6_all.debLinux
Servlet and JSP engine (USN-3665-1) tomcat8_8.5.21-1ubuntu1.1_all.debLinux
Servlet and JSP engine (USN-3665-1) libtomcat8-java_8.0.32-1ubuntu1.6_all.debLinux
Servlet and JSP engine (USN-3665-1) libtomcat8-java_8.5.21-1ubuntu1.1_all.debLinux
tomcat8 security update(DSA-3974-1) tomcat8_8.5.14-1+deb9u3_all.debLinux
tomcat8 security update(DSA-4281-1) tomcat8_8.5.14-1+deb9u3_all.debLinux
SUSE-SU-2018:0817-1(SUSE Linux Enterprise Server 12-SP2 ) tomcat-8.0.50-29.8.2.noarch.rpmLinux
SUSE-SU-2018:0817-1(SUSE Linux Enterprise Server 12-SP2 ) tomcat-admin-webapps-8.0.50-29.8.2.noarch.rpmLinux
SUSE-SU-2018:0817-1(SUSE Linux Enterprise Server 12-SP2 ) tomcat-docs-webapp-8.0.50-29.8.2.noarch.rpmLinux
SUSE-SU-2018:0817-1(SUSE Linux Enterprise Server 12-SP2 ) tomcat-el-3_0-api-8.0.50-29.8.2.noarch.rpmLinux
SUSE-SU-2018:0817-1(SUSE Linux Enterprise Server 12-SP2 ) tomcat-javadoc-8.0.50-29.8.2.noarch.rpmLinux
SUSE-SU-2018:0817-1(SUSE Linux Enterprise Server 12-SP2 ) tomcat-jsp-2_3-api-8.0.50-29.8.2.noarch.rpmLinux
SUSE-SU-2018:0817-1(SUSE Linux Enterprise Server 12-SP2 ) tomcat-lib-8.0.50-29.8.2.noarch.rpmLinux
SUSE-SU-2018:0817-1(SUSE Linux Enterprise Server 12-SP2 ) tomcat-servlet-3_1-api-8.0.50-29.8.2.noarch.rpmLinux
SUSE-SU-2018:0817-1(SUSE Linux Enterprise Server 12-SP2 ) tomcat-webapps-8.0.50-29.8.2.noarch.rpmLinux
Update Tomcat to 9.5.14 (For Linux)Linux
Update Tomcat to 9.5.5 (For Linux)Linux
Update Tomcat to 9.5.7 (For Linux)Linux
Update Tomcat to 9.5.8 (For Linux)Linux
Update Tomcat to 9.6.10 (For Linux)Linux
Update Tomcat to 9.6.3 (For Linux)Linux
Update Tomcat to 9.6.4 (For Linux)Linux
Update Tomcat to 9.6.7 (For Linux)Linux
Update Tomcat to 9.6.8 (For Linux)Linux
Update Tomcat to 2.4.5 (For Linux)Linux
Update Tomcat to 3.0.14 (For Linux)Linux
Vulnerabilities CVE-2018-1305,CVE-2018-1304 are fixed in Apache - tomcat-embed-core for Linux 8.5.28Linux
Vulnerabilities CVE-2018-1305 are fixed in Apache - tomcat-embed-core for Linux 7.0.85Linux
Vulnerabilities CVE-2018-1305,CVE-2018-1304 are fixed in Apache - tomcat-embed-core for Linux 9.0.5Linux
CVE-2018-1305NCM

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234