CVE-2018-1304
tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources
Severity Score
5.9
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
2
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.
El patrón de URL "" (la cadena vacía) que mapea exactamente al root de contexto no se gestionó correctamente en Apache Tomcat 9.0.0.M1 a 9.0.4, 8.5.0 a 8.5.27, 8.0.0.RC1 a 8.0.49 y 7.0.0 a 7.0.84 al emplearse como parte de una definición de limitación de seguridad. Esto provocó que el límite se ignorase. Por lo tanto, era posible que usuarios no autorizados obtuviesen acceso a recursos de la aplicación web que tendrían que haber estado protegidos. Solo se han visto afectadas las limitaciones de seguridad con un patrón URL de cadena vacía.
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 2 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Multiple security issues have been addressed.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2017-12-07 CVE Reserved
- 2018-02-25 First Exploit
- 2018-02-28 CVE Published
- 2024-09-17 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-284: Improper Access Control
CAPEC
References (44)
| URL | Date | SRC |
|---|---|---|
| https://github.com/knqyf263/CVE-2018-1304 | 2018-02-25 | |
| https://github.com/thariyarox/tomcat_CVE-2018-1304_testing | 2018-03-08 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2018:0465 | 2023-12-08 | |
| https://access.redhat.com/errata/RHSA-2018:0466 | 2023-12-08 | |
| https://access.redhat.com/errata/RHSA-2018:1320 | 2023-12-08 | |
| https://access.redhat.com/errata/RHSA-2018:1447 | 2023-12-08 | |
| https://access.redhat.com/errata/RHSA-2018:1448 | 2023-12-08 | |
| https://access.redhat.com/errata/RHSA-2018:1449 | 2023-12-08 | |
| https://access.redhat.com/errata/RHSA-2018:1450 | 2023-12-08 | |
| https://access.redhat.com/errata/RHSA-2018:1451 | 2023-12-08 | |
| https://access.redhat.com/errata/RHSA-2018:2939 | 2023-12-08 | |
| https://access.redhat.com/errata/RHSA-2019:2205 | 2023-12-08 | |
| https://usn.ubuntu.com/3665-1 | 2023-12-08 | |
| https://www.debian.org/security/2018/dsa-4281 | 2023-12-08 | |
| https://access.redhat.com/security/cve/CVE-2018-1304 | 2019-08-06 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1548289 | 2019-08-06 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 6 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 6 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 6.4 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.4" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 6.4 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.4" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Jboss Enterprise Web Server Search vendor "Redhat" for product "Jboss Enterprise Web Server" | 3.0.0 Search vendor "Redhat" for product "Jboss Enterprise Web Server" and version "3.0.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Jboss Enterprise Web Server Search vendor "Redhat" for product "Jboss Enterprise Web Server" | 3.0.0 Search vendor "Redhat" for product "Jboss Enterprise Web Server" and version "3.0.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0" | - |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | >= 7.0.0 <= 7.0.84 Search vendor "Apache" for product "Tomcat" and version " >= 7.0.0 <= 7.0.84" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | >= 8.0.0 <= 8.0.49 Search vendor "Apache" for product "Tomcat" and version " >= 8.0.0 <= 8.0.49" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | >= 8.5.0 <= 8.5.27 Search vendor "Apache" for product "Tomcat" and version " >= 8.5.0 <= 8.5.27" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | >= 9.0.0 <= 9.0.4 Search vendor "Apache" for product "Tomcat" and version " >= 9.0.0 <= 9.0.4" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 8.0.0 Search vendor "Apache" for product "Tomcat" and version "8.0.0" | rc1 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone1 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone10 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone11 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone12 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone13 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone14 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone15 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone16 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone17 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone18 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone19 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone2 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone20 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone21 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone22 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone23 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone24 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone25 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone26 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone27 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone3 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone4 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone5 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone6 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone7 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone8 |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone9 |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 17.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "17.10" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04" | lts |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Fusion Middleware Search vendor "Oracle" for product "Fusion Middleware" | 12.2.1.3.0 Search vendor "Oracle" for product "Fusion Middleware" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Hospitality Guest Access Search vendor "Oracle" for product "Hospitality Guest Access" | 4.2.0 Search vendor "Oracle" for product "Hospitality Guest Access" and version "4.2.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Hospitality Guest Access Search vendor "Oracle" for product "Hospitality Guest Access" | 4.2.1 Search vendor "Oracle" for product "Hospitality Guest Access" and version "4.2.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Micros Relate Crm Software Search vendor "Oracle" for product "Micros Relate Crm Software" | 11.4 Search vendor "Oracle" for product "Micros Relate Crm Software" and version "11.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Secure Global Desktop Search vendor "Oracle" for product "Secure Global Desktop" | 5.3 Search vendor "Oracle" for product "Secure Global Desktop" and version "5.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Secure Global Desktop Search vendor "Oracle" for product "Secure Global Desktop" | 5.4 Search vendor "Oracle" for product "Secure Global Desktop" and version "5.4" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Middleware Search vendor "Redhat" for product "Jboss Middleware" | 1 Search vendor "Redhat" for product "Jboss Middleware" and version "1" | - |
Affected
| ||||||