Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2018-1305 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS3 Base Score | 4.8 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
Attack Vector | Network |
Attack Complexity | High |
Privileges Required | None |
User Interaction | None |
Scope | Unchanged |
Confidentiality | Low |
Integrity Impact | Low |
Availability Impact | None |
Platform | Errata | Release Date |
---|---|---|
Red Hat JBoss Fuse 6.3 | RHSA-2018:2939 | 2018-10-17 |
Red Hat JBoss Web Server 3.1 for RHEL 7 | RHSA-2018:0466 | 2018-03-07 |
Red Hat JBoss Web Server 3.1 for RHEL 6 | RHSA-2018:0466 | 2018-03-07 |
Red Hat OpenShift Application Runtimes 1.0 | RHSA-2018:1320 | 2018-05-03 |
Red Hat JBoss Web Server 3.1 | RHSA-2018:0465 | 2018-03-07 |
Platform | Package | State |
---|---|---|
Red Hat Software Collections for Red Hat Enterprise Linux | rh-java-common-tomcat | Not affected |
Red Hat JBoss Portal Platform 6 | jbossweb | Will not fix |
Red Hat JBoss Operations Network 3 | jbossweb | Not affected |
Red Hat JBoss EWS 2 | tomcat7 | Will not fix |
Red Hat JBoss EWS 2 | tomcat6 | Not affected |
Red Hat JBoss EAP 6 | jbossweb | Not affected |
Red Hat JBoss Data Virtualization 6 | jbossweb | Not affected |
Red Hat JBoss Data Grid 6 | jbossweb | Not affected |
Red Hat Enterprise Linux 7 | tomcat | Affected |
Red Hat Enterprise Linux 6 | tomcat6 | Not affected |
Red Hat Enterprise Linux 5 | tomcat5 | Not affected |