CVE - CVE-2018-1305 1/16/20, 2(34 PM

CVE List CNAs WGs Board About

News & Blog Go to for:
CVSS Scores
CPE Info
Advanced Search
Common Vulnerabilities and Exposures

Full-Screen View
CVE-ID

CVE-2018-1305 Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description
Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were
only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it
was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users
who were not authorised to access them.

References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

BID:103144
URL:http://www.securityfocus.com/bid/103144
CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
CONFIRM:https://security.netapp.com/advisory/ntap-20180706-0001/
DEBIAN:DSA-4281
URL:https://www.debian.org/security/2018/dsa-4281
MISC:https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781@%3Cannounce.tomcat.apache.org%3E
MISC:https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
MISC:https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
MLIST:[debian-lts-announce] 20180306 [SECURITY] [DLA 1301-1] tomcat7 security update
URL:https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html
MLIST:[debian-lts-announce] 20180627 [SECURITY] [DLA 1400-1] tomcat7 security update
URL:https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html
MLIST:[debian-lts-announce] 20180729 [SECURITY] [DLA 1450-1] tomcat8 security update
URL:https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html
MLIST:[tomcat-dev] 20190319 svn commit: r1855831 [24/30] - in /tomcat/site/trunk: ./ docs/ xdocs/
URL:https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E
MLIST:[tomcat-dev] 20190319 svn commit: r1855831 [25/30] - in /tomcat/site/trunk: ./ docs/ xdocs/
URL:https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E
MLIST:[tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
URL:https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E
MLIST:[tomcat-dev] 20190325 svn commit: r1856174 [23/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
URL:https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E
MLIST:[tomcat-dev] 20190325 svn commit: r1856174 [24/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
URL:https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E
MLIST:[tomcat-dev] 20190413 svn commit: r1857494 [16/20] - in /tomcat/site/trunk: ./ docs/ xdocs/
URL:https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E
MLIST:[tomcat-dev] 20190413 svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/
URL:https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E
MLIST:[tomcat-dev] 20190413 svn commit: r1857496 [3/4] - in /tomcat/site/trunk: ./ docs/ xdocs/
URL:https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E
MLIST:[tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/
URL:https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E
MLIST:[tomcat-dev] 20190415 svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/
URL:https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E
MLIST:[tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/
URL:https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
REDHAT:RHSA-2018:0465
URL:https://access.redhat.com/errata/RHSA-2018:0465
REDHAT:RHSA-2018:0466
URL:https://access.redhat.com/errata/RHSA-2018:0466
REDHAT:RHSA-2018:1320

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1305 Page 1 of 2
CVE - CVE-2018-1305 1/16/20, 2(34 PM

URL:https://access.redhat.com/errata/RHSA-2018:1320
REDHAT:RHSA-2018:2939
URL:https://access.redhat.com/errata/RHSA-2018:2939
REDHAT:RHSA-2019:2205
URL:https://access.redhat.com/errata/RHSA-2019:2205
SECTRACK:1040428
URL:http://www.securitytracker.com/id/1040428
UBUNTU:USN-3665-1
URL:https://usn.ubuntu.com/3665-1/

Assigning CNA
Apache Software Foundation

Date Entry Created

20171207 Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate
when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)
Assigned (20171207)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an entry on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

SEARCH CVE USING KEYWORDS: Submit

You can also search by reference using the CVE Reference Maps.

For More Information: CVE Request Web Form (select “Other” from dropdown)

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1305 Page 2 of 2