Vulnerability Database

289,599

Total vulnerabilities in the database

CVE-2018-1305

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

CVSS v3:

  • Severity: Medium
  • Score: 6.5
  • AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

  • Severity: Low
  • Score: 4
  • AV:N/AC:L/Au:S/C:P/I:N/A:N

No CWE or OWASP classifications available.

Software From Fixed in
apache / tomcat 7.0.0 7.0.84.x
apache / tomcat 8.0.0-rc3 8.0.0-rc3.x
apache / tomcat 8.0.0-rc1 8.0.0-rc1.x
apache / tomcat 8.0.0-rc10 8.0.0-rc10.x
apache / tomcat 8.0.0-rc5 8.0.0-rc5.x
apache / tomcat 8.0.0 8.0.49.x
apache / tomcat 9.0.0 9.0.0.x
apache / tomcat 9.0.1 9.0.1.x
apache / tomcat 9.0.2 9.0.2.x
apache / tomcat 9.0.3 9.0.3.x
apache / tomcat 9.0.4 9.0.4.x
apache / tomcat 8.5.0 8.5.27.x
debian / debian_linux 8.0 8.0.x
debian / debian_linux 7.0 7.0.x
debian / debian_linux 9.0 9.0.x
canonical / ubuntu_linux 16.04 16.04.x
canonical / ubuntu_linux 14.04 14.04.x
canonical / ubuntu_linux 17.10 17.10.x
canonical / ubuntu_linux 18.04 18.04.x
oracle / managed_file_transfer 12.2.1.3.0 12.2.1.3.0.x
oracle / managed_file_transfer 12.1.3.0.0 12.1.3.0.0.x
oracle / micros_relate_crm_software 11.4 11.4.x
oracle / fusion_middleware 12.2.1.3.0 12.2.1.3.0.x
org.apache.tomcat.embed / tomcat-embed-core 9.0.0 9.0.5
org.apache.tomcat.embed / tomcat-embed-core 8.5.0 8.5.28
org.apache.tomcat.embed / tomcat-embed-core 7.0.0 7.0.85
apache / tomcat 9.0.0-milestone1 9.0.0-milestone1.x
apache / tomcat 9.0.0-milestone10 9.0.0-milestone10.x
apache / tomcat 9.0.0-milestone11 9.0.0-milestone11.x
apache / tomcat 9.0.0-milestone12 9.0.0-milestone12.x
apache / tomcat 9.0.0-milestone13 9.0.0-milestone13.x
apache / tomcat 9.0.0-milestone14 9.0.0-milestone14.x
apache / tomcat 9.0.0-milestone15 9.0.0-milestone15.x
apache / tomcat 9.0.0-milestone16 9.0.0-milestone16.x
apache / tomcat 9.0.0-milestone17 9.0.0-milestone17.x
apache / tomcat 9.0.0-milestone18 9.0.0-milestone18.x
apache / tomcat 9.0.0-milestone19 9.0.0-milestone19.x
apache / tomcat 9.0.0-milestone2 9.0.0-milestone2.x
apache / tomcat 9.0.0-milestone20 9.0.0-milestone20.x
apache / tomcat 9.0.0-milestone21 9.0.0-milestone21.x
apache / tomcat 9.0.0-milestone22 9.0.0-milestone22.x
apache / tomcat 9.0.0-milestone23 9.0.0-milestone23.x
apache / tomcat 9.0.0-milestone24 9.0.0-milestone24.x
apache / tomcat 9.0.0-milestone25 9.0.0-milestone25.x
apache / tomcat 9.0.0-milestone26 9.0.0-milestone26.x
apache / tomcat 9.0.0-milestone27 9.0.0-milestone27.x
apache / tomcat 9.0.0-milestone3 9.0.0-milestone3.x
apache / tomcat 9.0.0-milestone4 9.0.0-milestone4.x
apache / tomcat 9.0.0-milestone5 9.0.0-milestone5.x
apache / tomcat 9.0.0-milestone6 9.0.0-milestone6.x
apache / tomcat 9.0.0-milestone7 9.0.0-milestone7.x
apache / tomcat 9.0.0-milestone8 9.0.0-milestone8.x
apache / tomcat 9.0.0-milestone9 9.0.0-milestone9.x