CVE-2018-1305

MEDIUM

Apache Tomcat 7.0.0-9.0.4 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-1305. PoCs published by Pa55w0rd.

AI-analyzed exploit summary This repository demonstrates CVE-2018-1305, an authorization bypass vulnerability in Apache Tomcat due to incorrect application of ServletSecurity annotations. The PoC shows how security constraints fail to apply if a nested servlet is accessed before its parent servlet.

Description

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Exploits (1)

nomisec WORKING POC 6 stars
by Pa55w0rd · poc
https://github.com/Pa55w0rd/CVE-2018-1305

This repository demonstrates CVE-2018-1305, an authorization bypass vulnerability in Apache Tomcat due to incorrect application of ServletSecurity annotations. The PoC shows how security constraints fail to apply if a nested servlet is accessed before its parent servlet.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat < 9.0.5, < 8.5.28, < 8.0.50, < 7.0.85
No auth needed
Prerequisites: Tomcat server with vulnerable version · Deployment of the provided servlets with specific URL patterns
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (35)

Core 35
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/103144
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20180706-0001/
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4281
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2939
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0465
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3665-1/
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1320
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0466
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1040428
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2205

Scores

CVSS v3 6.5
EPSS 0.2158
EPSS Percentile 95.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

Status published
Products (19)
apache/tomcat 8.0.0 rc1 (4 CPE variants)
apache/tomcat 9.0.0 (28 CPE variants)
apache/tomcat 9.0.1
apache/tomcat 9.0.2
apache/tomcat 9.0.3
apache/tomcat 9.0.4
apache/tomcat 7.0.0 - 7.0.84
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 17.10
... and 9 more
Published Feb 23, 2018
Tracked Since Feb 18, 2026