Strix
26.1K

CVE-2018-1304

UnknownEPSS 17.72%

Last modified

CVE-2018-1304 is a vulnerability of currently unknown severity. The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. EPSS estimates a 17.72% chance of exploitation in the next 30 days.

Description

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Metrics

EPSS Probability
17.72%

96.8th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

VendorProductVersionsUpdate
ApacheTomcat>= 7.0.0, <= 7.0.84
ApacheTomcat>= 8.0.0, <= 8.0.49
ApacheTomcat>= 8.5.0, <= 8.5.27
ApacheTomcat>= 9.0.0, <= 9.0.4
ApacheTomcat8.0.0Rc1
ApacheTomcat9.0.0Milestone1
RedhatJboss Enterprise Application Platform6
RedhatJboss Enterprise Application Platform6.4
RedhatJboss Enterprise Web Server3.0.0
DebianDebian Linux7.0
DebianDebian Linux8.0
DebianDebian Linux9.0
CanonicalUbuntu Linux14.04
CanonicalUbuntu Linux16.04
CanonicalUbuntu Linux17.10
CanonicalUbuntu Linux18.04
OracleFusion Middleware12.2.1.3.0
OracleHospitality Guest Access4.2.0
OracleHospitality Guest Access4.2.1
OracleMicros Relate Crm Software11.4
OracleSecure Global Desktop5.3
OracleSecure Global Desktop5.4
RedhatJboss Middleware1

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2018-1304?
The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.
How severe is CVE-2018-1304?
Severity scoring for CVE-2018-1304 is pending analysis. The EPSS model estimates a 17.72% probability of exploitation in the next 30 days.
How do I fix CVE-2018-1304?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-1304?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST