CVE-2018-1304 (Medium) detected in tomcat-catalina-7.0.42.jar

[mend-for-github-com]

CVE-2018-1304 - Medium Severity Vulnerability

Vulnerable Library - tomcat-catalina-7.0.42.jar

Tomcat Servlet Engine Core Classes and Standard implementations

Library home page: http://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /repository/org/apache/tomcat/tomcat-catalina/7.0.42/tomcat-catalina-7.0.42.jar

Dependency Hierarchy:

• ❌ tomcat-catalina-7.0.42.jar (Vulnerable Library)

Found in HEAD commit: 349fffeed7cf25f2cf5b8b6a05b5e4367130406e

Found in base branches: dev, master

Vulnerability Details

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Publish Date: 2018-02-28

URL: CVE-2018-1304

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1304

Release Date: 2018-02-23

Fix Resolution: 7.0.85

---

⛑️ Automatic Remediation is available for this issue