CVE-2018-1305

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

References

Affected packages

Git / github.com/apache/tomcat

Affected ranges

Type

GIT

Repo

https://github.com/apache/tomcat

Events

Introduced

e498667bd7811e846771a852b16ce9f1e524b81b

Last affected

3c2d9937c285b0b2ef02d02d703bc64f00a2c5b7

Introduced

Last affected

16bf392c67833ad549733b58c350ff92b5ee782a

Introduced

Last affected

29b07def810d335012e738b22ab44d4e232b50d1

Introduced

Last affected

10e04de1946981261a734507f4a6d953e2a206fe

Introduced

Last affected

65ddc3a3872ea41ca67fec7b6834c704b6893361

Introduced

Last affected

b5a74e3c7913c560648f0ffedfbbb3ebe4318def

Introduced

Last affected

de128d72af746184e035ff1b53629f08cb141a04

Introduced

Last affected

aac670afe1226e10513021100fce8a12344743c6

Introduced

Last affected

c2c8107f0cea4755497a85990807b883b66f6b57

Introduced

Last affected

8c48678b110f3fbbe66f6dde0e45d2578fa92c29

Introduced

Last affected

9c5edb840d9413c1408e7c191bc0e1bbfcd9e07f

Introduced

Last affected

59e713216cf2256aacc54f6ba627865f356f9e4e

Introduced

Last affected

7dc5e29fe49850102261badf158752d6865311e4

Introduced

Last affected

18b014d8691909be6153ae7db022a6c35f9c93ea

Introduced

Last affected

600dc8ba5d9be7599d29bff83c342213d93b034e

Introduced

Last affected

3bd48aab236e5bf0ed1644e9f0c588fd20e503ab

Introduced

Last affected

642d3dd4d50ea1f03f9827962e4fc982a123bb78

Introduced

Last affected

24566c02fb917a6ca1b6479a60971b0d8acd895c

Introduced

Last affected

cac0e029dcced854eeca7444710e78e412dc2c2a

Introduced

Last affected

c5efed313de1a181f4f9f98f5023117f3b911257

Introduced

Last affected

ab04166fac59fcf9b3be3aab1c8b896842782d4c

Introduced

Last affected

35071e7e52f296b9187b054b0efd74121b7db3bd

Introduced

Last affected

d1dc05e934e089ea8907998cf850760017a0ed82

Introduced

Last affected

fd7f13635e6855f6ba3fead0bf37ba2fbf8b68cf

Introduced

Last affected

c7b84102600d600bcc527560d9c4d10c3fd440ab

Introduced

Last affected

d8ebf61e51b4455e3c226751e492a533f9002d48

Introduced

Last affected

aba238718ac9b149d25feaa9a14ecad3b0e3a5e2

Introduced

Last affected

fe854ab1f111396458d98fa2ab08c693ce9407e1

Introduced

Last affected

45f8fd74cdb96490fab8709263a4d862f0d429cf

Introduced

Last affected

3c78e95e36268dfb76db1570f0cf49104fa6eabc

Introduced

Last affected

9dc486b616a1599fa3fa4e27a7933ca06bfa4785

Introduced

Last affected

2bd753075d4f87ee9db49d3ad55cfaec78a82329

Introduced

Last affected

f496ba0669fcdc034683aab80e627de5aee50b8e

Introduced

e37b977db6f47e4380ad67114a49e8568951c953

Last affected

d4e9735adc0819314811c134d7899adcdb0f629e

Introduced

Last affected

e498667bd7811e846771a852b16ce9f1e524b81b

Introduced

Last affected

16bf392c67833ad549733b58c350ff92b5ee782a

Database specific

{
    "versions": [
        {
            "introduced": "7.0.0"
        },
        {
            "last_affected": "7.0.84"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone10"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone11"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone12"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone13"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone14"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone15"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone16"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone17"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone18"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone19"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone20"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone21"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone22"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone23"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone24"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone25"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone26"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone27"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone4"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone5"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone6"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone7"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone8"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.0-milestone9"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0.4"
        },
        {
            "introduced": "8.5.0"
        },
        {
            "last_affected": "8.5.27"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0"
        }
    ]
}

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "8.0.0"
            },
            {
                "last_affected": "8.0.49"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.0.0-rc1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.0.0-rc10"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.0.0-rc3"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.0.0-rc5"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "14.04"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "16.04"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "17.10"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "18.04"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "12.2.1.3.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "12.1.3.0.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "12.2.1.3.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "11.4"
            }
        ]
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-1305.json"