CVE-2018-1304 (Medium) detected in tomcat-catalina-7.0.42.jar - autoclosed

[mend-for-github-com]

CVE-2018-1304 - Medium Severity Vulnerability

Vulnerable Library - tomcat-catalina-7.0.42.jar

Tomcat Servlet Engine Core Classes and Standard implementations

Library home page: http://tomcat.apache.org/

Dependency Hierarchy:

• ❌ tomcat-catalina-7.0.42.jar (Vulnerable Library)

Found in HEAD commit: 910335bf446a1a65011c17bf5badb72c4d4efc50

Vulnerability Details

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Publish Date: 2018-02-28

URL: CVE-2018-1304

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1304

Release Date: 2018-02-28

Fix Resolution: 9.0.5,8.5.28,8.0.50,7.0.85

[mend-for-github-com]

ℹ️ This issue was automatically closed by WhiteSource because it is a duplicate of an existing issue: #106