CVE-2018-1305

EUVD-2018-0634

23.02.2018, 23:29

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 95%

Affected Products (NVD)

Vendor	Product	Version
apache	tomcat	7.0.0 ≤ 𝑥 ≤ 7.0.84
apache	tomcat	8.0.0 ≤ 𝑥 ≤ 8.0.49
apache	tomcat	8.0.0:rc1
apache	tomcat	8.0.0:rc10
apache	tomcat	8.0.0:rc3
apache	tomcat	8.0.0:rc5
apache	tomcat	9.0.0
apache	tomcat	9.0.0:milestone1
apache	tomcat	9.0.0:milestone10
apache	tomcat	9.0.0:milestone11
apache	tomcat	9.0.0:milestone12
apache	tomcat	9.0.0:milestone13
apache	tomcat	9.0.0:milestone14
apache	tomcat	9.0.0:milestone15
apache	tomcat	9.0.0:milestone16
apache	tomcat	9.0.0:milestone17
apache	tomcat	9.0.0:milestone18
apache	tomcat	9.0.0:milestone19
apache	tomcat	9.0.0:milestone2
apache	tomcat	9.0.0:milestone20
apache	tomcat	9.0.0:milestone21
apache	tomcat	9.0.0:milestone22
apache	tomcat	9.0.0:milestone23
apache	tomcat	9.0.0:milestone24
apache	tomcat	9.0.0:milestone25
apache	tomcat	9.0.0:milestone26
apache	tomcat	9.0.0:milestone27
apache	tomcat	9.0.0:milestone3
apache	tomcat	9.0.0:milestone4
apache	tomcat	9.0.0:milestone5
apache	tomcat	9.0.0:milestone6
apache	tomcat	9.0.0:milestone7
apache	tomcat	9.0.0:milestone8
apache	tomcat	9.0.0:milestone9
apache	tomcat	9.0.1
apache	tomcat	9.0.2
apache	tomcat	9.0.3
apache	tomcat	9.0.4
apache	tomcat	8.5.0 ≤ 𝑥 ≤ 8.5.27
debian	debian_linux	7.0
debian	debian_linux	8.0
debian	debian_linux	9.0
canonical	ubuntu_linux	14.04
canonical	ubuntu_linux	16.04
canonical	ubuntu_linux	17.10
canonical	ubuntu_linux	18.04
oracle	fusion_middleware	12.2.1.3.0
oracle	managed_file_transfer	12.1.3.0.0
oracle	managed_file_transfer	12.2.1.3.0
oracle	micros_relate_crm_software	11.4

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

tomcat9

bookworm	9.0.70-2 fixed
bullseye	9.0.43-2~deb11u10 fixed
bullseye (security)	9.0.43-2~deb11u10 fixed
sid	9.0.95-1 fixed
trixie	9.0.95-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

tomcat7

artful	not-affected
bionic	not-affected
cosmic	not-affected
disco	dne
eoan	dne
focal	dne
groovy	dne
hirsute	dne
impish	dne
jammy	dne
mantic	dne
noble	dne
trusty	Fixed 7.0.52-1ubuntu0.14 released
xenial	needed

tomcat8

artful	Fixed 8.5.21-1ubuntu1.1 released
bionic	not-affected
cosmic	not-affected
disco	dne
eoan	dne
focal	dne
groovy	dne
hirsute	dne
impish	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	Fixed 8.0.32-1ubuntu1.6 released

tomcat8.0

artful	ignored
bionic	dne
cosmic	dne
disco	dne
eoan	dne
focal	dne
groovy	dne
hirsute	dne
impish	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

References

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

http://www.securityfocus.com/bid/103144

http://www.securitytracker.com/id/1040428

https://access.redhat.com/errata/RHSA-2018:0465

https://access.redhat.com/errata/RHSA-2018:0466

https://access.redhat.com/errata/RHSA-2018:1320

https://access.redhat.com/errata/RHSA-2018:2939

https://access.redhat.com/errata/RHSA-2019:2205

https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781%40%3Cannounce.tomcat.apache.org%3E

https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E

https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html

https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html

https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html

https://security.netapp.com/advisory/ntap-20180706-0001/

https://usn.ubuntu.com/3665-1/

https://www.debian.org/security/2018/dsa-4281

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

http://www.securityfocus.com/bid/103144

http://www.securitytracker.com/id/1040428

https://access.redhat.com/errata/RHSA-2018:0465

https://access.redhat.com/errata/RHSA-2018:0466

https://access.redhat.com/errata/RHSA-2018:1320

https://access.redhat.com/errata/RHSA-2018:2939

https://access.redhat.com/errata/RHSA-2019:2205

https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781%40%3Cannounce.tomcat.apache.org%3E

https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E

https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html

https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html

https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html

https://security.netapp.com/advisory/ntap-20180706-0001/

https://usn.ubuntu.com/3665-1/

https://www.debian.org/security/2018/dsa-4281

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html