CVE-2018-1305

MEDIUM

Apache Tomcat 7.0.0-9.0.4 - Privilege Escalation

Title source: llm

Description

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Exploits (1)

nomisec WORKING POC 6 stars

by Pa55w0rd · poc

https://github.com/Pa55w0rd/CVE-2018-1305

View Code ZIP pw:eip

References (35)

[Patch, Third Party Advisory] http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

[Patch, Third Party Advisory] http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/103144

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1040428

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:0465

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:0466

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:1320

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:2939

[Mailing List] https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20180706-0001/

[Third Party Advisory] https://usn.ubuntu.com/3665-1/

[Third Party Advisory] https://www.debian.org/security/2018/dsa-4281

[Vendor Advisory] https://www.oracle.com/security-alerts/cpuapr2020.html

[Patch, Third Party Advisory] https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2019:2205

[Vendor Advisory] https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

[Mailing List] https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E

... and 15 more

Scores

CVSS v3 6.5

EPSS 0.2158

EPSS Percentile 95.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

Status published

Products (19)

apache/tomcat 8.0.0 rc1 (4 CPE variants)

apache/tomcat 9.0.0 (28 CPE variants)

apache/tomcat 9.0.1

apache/tomcat 9.0.2

apache/tomcat 9.0.3

apache/tomcat 9.0.4

apache/tomcat 7.0.0 - 7.0.84

canonical/ubuntu_linux 14.04

canonical/ubuntu_linux 16.04

canonical/ubuntu_linux 17.10

... and 9 more

Published Feb 23, 2018

Tracked Since Feb 18, 2026