NVD Vulnerability Detail

CVE-2018-1304

Summary	The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.
Publication Date	March 1, 2018, 5:29 a.m.
Registration Date	March 1, 2021, 6:51 p.m.
Last Update	Nov. 21, 2024, 12:59 p.m.

CVSS3.0 : MEDIUM
スコア	5.9
Vector	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	高
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	高
完全性への影響(I)	なし
可用性への影響(A)	なし

CVSS2.0 : MEDIUM
Score	4.3
Vector	AV:N/AC:M/Au:N/C:P/I:N/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	なし
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat:8.0.0:rc1::::::
cpe:2.3:a:apache:tomcat::::::::	8.5.0	8.5.27
cpe:2.3:a:apache:tomcat::::::::	8.0.0	8.0.49
cpe:2.3:a:apache:tomcat::::::::	9.0.0	9.0.4
cpe:2.3:a:apache:tomcat::::::::	7.0.0	7.0.84
cpe:2.3:a:apache:tomcat:9.0.0:milestone1::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone10::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone11::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone12::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone13::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone14::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone15::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone16::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone17::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone18::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone19::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone2::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone20::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone21::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone22::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone23::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone24::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone25::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone26::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone27::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone3::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone4::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone5::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone6::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone7::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone8::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone9::::::

Configuration2		or higher	or less	more than	less than
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6:::::::*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4:::::::*
cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:::::::*
execution environment
1	cpe:2.3:o:redhat:enterprise_linux:6.0:::::::*
2	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:8.0:::::::*
cpe:2.3:o:debian:debian_linux:7.0:::::::*
cpe:2.3:o:debian:debian_linux:9.0:::::::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:17.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::

Configuration5	or higher	or less	more than	less than
cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:::::::*
cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:::::::*
cpe:2.3:a:oracle:secure_global_desktop:5.4:::::::*
cpe:2.3:a:oracle:secure_global_desktop:5.3:::::::*
cpe:2.3:a:oracle:micros_relate_crm_software:11.4:::::::*
cpe:2.3:a:oracle:fusion_middleware:12.2.1.3.0:::::::*

Configuration6		or higher	or less	more than	less than
cpe:2.3:a:redhat:jboss_middleware:1:::::::*

Related information, measures and tools

No	URL	タグ
1	http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	Patch Third Party Advisory
2	http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	Patch Third Party Advisory
3	http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html	Patch Third Party Advisory
4	http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html	Patch Third Party Advisory
5	http://www.securityfocus.com/bid/103170	Third Party Advisory VDB Entry
6	http://www.securityfocus.com/bid/103170	Third Party Advisory VDB Entry
7	http://www.securitytracker.com/id/1040427	Third Party Advisory VDB Entry
8	http://www.securitytracker.com/id/1040427	Third Party Advisory VDB Entry
9	https://access.redhat.com/errata/RHSA-2018:0465	Third Party Advisory
10	https://access.redhat.com/errata/RHSA-2018:0465	Third Party Advisory
11	https://access.redhat.com/errata/RHSA-2018:0466	Third Party Advisory
12	https://access.redhat.com/errata/RHSA-2018:0466	Third Party Advisory
13	https://access.redhat.com/errata/RHSA-2018:1320	Third Party Advisory
14	https://access.redhat.com/errata/RHSA-2018:1320	Third Party Advisory
15	https://access.redhat.com/errata/RHSA-2018:1447	Third Party Advisory
16	https://access.redhat.com/errata/RHSA-2018:1447	Third Party Advisory
17	https://access.redhat.com/errata/RHSA-2018:1448	Third Party Advisory
18	https://access.redhat.com/errata/RHSA-2018:1448	Third Party Advisory
19	https://access.redhat.com/errata/RHSA-2018:1449	Third Party Advisory
20	https://access.redhat.com/errata/RHSA-2018:1449	Third Party Advisory
21	https://access.redhat.com/errata/RHSA-2018:1450	Third Party Advisory
22	https://access.redhat.com/errata/RHSA-2018:1450	Third Party Advisory
23	https://access.redhat.com/errata/RHSA-2018:1451	Third Party Advisory
24	https://access.redhat.com/errata/RHSA-2018:1451	Third Party Advisory
25	https://access.redhat.com/errata/RHSA-2018:2939	Third Party Advisory
26	https://access.redhat.com/errata/RHSA-2018:2939	Third Party Advisory
27	https://access.redhat.com/errata/RHSA-2019:2205
28	https://access.redhat.com/errata/RHSA-2019:2205
29	https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
30	https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
31	https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
32	https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
33	https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
34	https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
35	https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
36	https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
37	https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E
38	https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E
39	https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
40	https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
41	https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
42	https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
43	https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
44	https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
45	https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb%40%3Cannounce.tomcat.apache.org%3E
46	https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb%40%3Cannounce.tomcat.apache.org%3E
47	https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
48	https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
49	https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E
50	https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E
51	https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E
52	https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E
53	https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
54	https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
55	https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
56	https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
57	https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
58	https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
59	https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
60	https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
61	https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
62	https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
63	https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html	Issue Tracking Third Party Advisory
64	https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html	Issue Tracking Third Party Advisory
65	https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html	Mailing List Third Party Advisory
66	https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html	Mailing List Third Party Advisory
67	https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html	Mailing List Third Party Advisory
68	https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html	Mailing List Third Party Advisory
69	https://security.netapp.com/advisory/ntap-20180706-0001/	Patch Third Party Advisory
70	https://security.netapp.com/advisory/ntap-20180706-0001/	Patch Third Party Advisory
71	https://usn.ubuntu.com/3665-1/	Third Party Advisory
72	https://usn.ubuntu.com/3665-1/	Third Party Advisory
73	https://www.debian.org/security/2018/dsa-4281	Third Party Advisory
74	https://www.debian.org/security/2018/dsa-4281	Third Party Advisory
75	https://www.oracle.com/security-alerts/cpuapr2020.html
76	https://www.oracle.com/security-alerts/cpuapr2020.html
77	https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	Patch Third Party Advisory
78	https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	Patch Third Party Advisory
79	https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
80	https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Common Vulnerabilities List

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat:8.0.0:rc1::::::
cpe:2.3:a:apache:tomcat::::::::	8.5.0	8.5.27
cpe:2.3:a:apache:tomcat::::::::	8.0.0	8.0.49
cpe:2.3:a:apache:tomcat::::::::	9.0.0	9.0.4
cpe:2.3:a:apache:tomcat::::::::	7.0.0	7.0.84
cpe:2.3:a:apache:tomcat:9.0.0:milestone1::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone10::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone11::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone12::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone13::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone14::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone15::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone16::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone17::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone18::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone19::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone2::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone20::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone21::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone22::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone23::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone24::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone25::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone26::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone27::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone3::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone4::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone5::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone6::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone7::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone8::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone9::::::

Configuration5	or higher	or less	more than	less than
cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:::::::*
cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:::::::*
cpe:2.3:a:oracle:secure_global_desktop:5.4:::::::*
cpe:2.3:a:oracle:secure_global_desktop:5.3:::::::*
cpe:2.3:a:oracle:micros_relate_crm_software:11.4:::::::*
cpe:2.3:a:oracle:fusion_middleware:12.2.1.3.0:::::::*