CVE-2018-1304 (Medium) detected in tomcat-catalina-8.0.14.jar - autoclosed

[mend-for-jackfan.us.kg]

CVE-2018-1304 - Medium Severity Vulnerability

Vulnerable Library - tomcat-catalina-8.0.14.jar

Tomcat Servlet Engine Core Classes and Standard implementations

Path to dependency file: /dd-java-agent/instrumentation/classloading/tomcat-testing/tomcat-testing.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.apache.tomcat/tomcat-catalina/8.0.14/1ab50f40dba33c2f2ec99a160fd00e739f36b24b/tomcat-catalina-8.0.14.jar

Dependency Hierarchy:

• ❌ tomcat-catalina-8.0.14.jar (Vulnerable Library)

Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079

Found in base branch: master

Vulnerability Details

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Publish Date: 2018-02-28

URL: CVE-2018-1304

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1304

Release Date: 2018-02-23

Fix Resolution: 8.0.50

---

⛑️ Automatic Remediation is available for this issue