CVE-2018-1304

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 9.0.0.M1 through 9.0.4 Apache Tomcat versions 8.5.0 through 8.5.27 Apache Tomcat versions 8.0.0.RC1 through 8.0.49 Apache Tomcat versions 7.0.0 through 7.0.84

Description The issue arises from the incorrect handling of the URL pattern "" (the empty string) that exactly maps to the context root when used as part of a security constraint definition. This causes the constraint to be ignored, allowing unauthorized users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string are affected.

Recommendations For Apache Tomcat versions 9.0.0.M1 through 9.0.4, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 8.5.0 through 8.5.27, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 8.0.0.RC1 through 8.0.49, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 7.0.0 through 7.0.84, update to a version outside of this range to resolve the issue. As a temporary workaround, consider reviewing and adjusting security constraint definitions to avoid the use of the empty string URL pattern.