CVE-2018-1305

MEDIUM

Description

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

ID	Name	Product	Family	Severity
700705	Apache Tomcat 9.0.x < 9.0.5 Insecure CGI Servlet Search Algorithm Description Weakness	Nessus Network Monitor	Web Servers	high
700693	Apache Tomcat 8.5.x < 8.5.28 Security Constraint Weakness	Nessus Network Monitor	Web Servers	medium
700687	Apache Tomcat 8.0.x < 8.0.50 Security Constraint Weakness	Nessus Network Monitor	Web Servers	medium
700677	Apache Tomcat 7.0.x < 7.0.85 Security Constraint Weakness	Nessus Network Monitor	Web Servers	medium
112307	Apache Tomcat 7.0.0 < 7.0.85 Security Constraint Weakness	Web Application Scanning	Component Vulnerability	medium
112298	Apache Tomcat 8.5.x < 8.5.28 Security Constraint Weakness	Web Application Scanning	Component Vulnerability	medium
112292	Apache Tomcat 9.0.0.M1 < 9.0.5 Security Constraint Weakness	Web Application Scanning	Component Vulnerability	medium
112185	Debian DSA-4281-1 : tomcat8 - security update	Nessus	Debian Local Security Checks	medium
111391	Debian DLA-1450-1 : tomcat8 security update	Nessus	Debian Local Security Checks	medium
111333	Oracle Secure Global Desktop Multiple Vulnerabilities (July 2018 CPU)	Nessus	Misc.	high
110264	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : tomcat7, tomcat8 vulnerabilities (USN-3665-1)	Nessus	Ubuntu Local Security Checks	high
108838	Fedora 26 : 1:tomcat (2018-a233dae4ab)	Nessus	Fedora Local Security Checks	medium
108837	Fedora 27 : 1:tomcat (2018-50f0da5d38)	Nessus	Fedora Local Security Checks	medium
108742	openSUSE Security Update : tomcat (openSUSE-2018-325)	Nessus	SuSE Local Security Checks	medium
108598	Amazon Linux AMI : tomcat80 (ALAS-2018-973)	Nessus	Amazon Linux Local Security Checks	medium
108597	Amazon Linux AMI : tomcat7 / tomcat8 (ALAS-2018-972)	Nessus	Amazon Linux Local Security Checks	medium
107208	RHEL 6 / 7 : Red Hat JBoss Web Server 3.1.0 Service Pack 2 (RHSA-2018:0466)	Nessus	Red Hat Local Security Checks	medium
107151	Debian DLA-1301-1 : tomcat7 security update	Nessus	Debian Local Security Checks	medium
107043	FreeBSD : tomcat -- Security constraints ignored or applied too late (55c4233e-1844-11e8-a712-0025908740c2)	Nessus	FreeBSD Local Security Checks	medium
106978	Apache Tomcat 9.0.0.M1 < 9.0.5 Insecure CGI Servlet Search Algorithm Description Weakness	Nessus	Web Servers	medium
106977	Apache Tomcat 8.5.x < 8.5.28 Security Constraint Weakness	Nessus	Web Servers	medium
106976	Apache Tomcat 8.0.0.RC1 < 8.0.50 Security Constraint Weakness	Nessus	Web Servers	medium
106975	Apache Tomcat 7.0.0 < 7.0.85 Security Constraint Weakness	Nessus	Web Servers	medium

CVE-2018-1305

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0