CVE-2018-1305

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 7.0.0 through 7.0.84 Apache Tomcat versions 8.0.0.RC1 through 8.0.49 Apache Tomcat versions 8.5.0 through 8.5.27 Apache Tomcat versions 9.0.0.M1 through 9.0.4

Description The issue is related to security constraints defined by annotations in Servlets, which were only applied after a Servlet had been loaded. This could lead to some security constraints not being applied, depending on the order in which Servlets were loaded, potentially exposing resources to unauthorized users. The vulnerability is associated with inadequate access control, which could allow a remote attacker to elevate their privileges.

Recommendations For Apache Tomcat versions 7.0.0 through 7.0.84, update to a version that includes the fix for this issue. For Apache Tomcat versions 8.0.0.RC1 through 8.0.49, update to a version that includes the fix for this issue. For Apache Tomcat versions 8.5.0 through 8.5.27, update to a version that includes the fix for this issue. For Apache Tomcat versions 9.0.0.M1 through 9.0.4, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to sensitive resources until the issue is resolved.