Vulnerabilities > CVE-2018-1305

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
low complexity
apache
debian
canonical
oracle
nessus

Summary

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Vulnerable Configurations

Part Description Count
Application
Apache
208
Application
Oracle
4
OS
Debian
3
OS
Canonical
4

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-50F0DA5D38.NASL
    descriptionThis update includes a rebase from 8.0.49 up to 8.0.50 which resolves two CVEs along with various other bugs/features : - rhbz#1548290	CVE-2018-1304 tomcat: Incorrect handling of empty string URL in security constraints can lead to unitended exposure of resources - rhbz#1548284 CVE-2018-1305 tomcat: Late application of security constraints can lead to resource exposure for unauthorised users Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-04-05
    plugin id108837
    published2018-04-05
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108837
    titleFedora 27 : 1:tomcat (2018-50f0da5d38)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2018-50f0da5d38.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(108837);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2018-1304", "CVE-2018-1305");
      script_xref(name:"FEDORA", value:"2018-50f0da5d38");
    
      script_name(english:"Fedora 27 : 1:tomcat (2018-50f0da5d38)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update includes a rebase from 8.0.49 up to 8.0.50 which resolves
    two CVEs along with various other bugs/features :
    
      - rhbz#1548290	CVE-2018-1304 tomcat: Incorrect handling
        of empty string URL in security constraints can lead to
        unitended exposure of resources
    
      - rhbz#1548284 CVE-2018-1305 tomcat: Late application of
        security constraints can lead to resource exposure for
        unauthorised users
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-50f0da5d38"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected 1:tomcat package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:1:tomcat");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:27");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/23");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/04/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/05");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^27([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 27", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC27", reference:"tomcat-8.0.50-1.fc27", epoch:"1")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "1:tomcat");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3665-1.NASL
    descriptionIt was discovered that Tomcat incorrectly handled being configured with HTTP PUTs enabled. A remote attacker could use this issue to upload a JSP file to the server and execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2017-12616, CVE-2017-12617) It was discovered that Tomcat contained incorrect documentation regarding description of the search algorithm used by the CGI Servlet to identify which script to execute. This issue only affected Ubuntu 17.10. (CVE-2017-15706) It was discovered that Tomcat incorrectly handled en empty string URL pattern in security constraint definitions. A remote attacker could possibly use this issue to gain access to web application resources, contrary to expectations. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2018-1304) It was discovered that Tomcat incorrectly handled applying certain security constraints. A remote attacker could possibly access certain resources, contrary to expectations. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2018-1305) It was discovered that the Tomcat CORS filter default settings were insecure and would enable
    last seen2020-06-01
    modified2020-06-02
    plugin id110264
    published2018-05-31
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110264
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : tomcat7, tomcat8 vulnerabilities (USN-3665-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3665-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110264);
      script_version("1.12");
      script_cvs_date("Date: 2019/09/18 12:31:48");
    
      script_cve_id("CVE-2017-12616", "CVE-2017-12617", "CVE-2017-15706", "CVE-2018-1304", "CVE-2018-1305", "CVE-2018-8014");
      script_xref(name:"USN", value:"3665-1");
    
      script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : tomcat7, tomcat8 vulnerabilities (USN-3665-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that Tomcat incorrectly handled being configured
    with HTTP PUTs enabled. A remote attacker could use this issue to
    upload a JSP file to the server and execute arbitrary code. This issue
    only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 17.10.
    (CVE-2017-12616, CVE-2017-12617)
    
    It was discovered that Tomcat contained incorrect documentation
    regarding description of the search algorithm used by the CGI Servlet
    to identify which script to execute. This issue only affected Ubuntu
    17.10. (CVE-2017-15706)
    
    It was discovered that Tomcat incorrectly handled en empty string URL
    pattern in security constraint definitions. A remote attacker could
    possibly use this issue to gain access to web application resources,
    contrary to expectations. This issue only affected Ubuntu 14.04 LTS,
    Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2018-1304)
    
    It was discovered that Tomcat incorrectly handled applying certain
    security constraints. A remote attacker could possibly access certain
    resources, contrary to expectations. This issue only affected Ubuntu
    14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2018-1305)
    
    It was discovered that the Tomcat CORS filter default settings were
    insecure and would enable 'supportsCredentials' for all origins,
    contrary to expectations. (CVE-2018-8014).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3665-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"d2_elliot_name", value:"Apache Tomcat VirtualDirContext Class File Handling Remote JSP Source Code Disclosure");
      script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Tomcat RCE via JSP Upload Bypass');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libtomcat7-java");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libtomcat8-java");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:tomcat7");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:tomcat8");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:17.10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/31");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(14\.04|16\.04|17\.10|18\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 17.10 / 18.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"libtomcat7-java", pkgver:"7.0.52-1ubuntu0.14")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"tomcat7", pkgver:"7.0.52-1ubuntu0.14")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"libtomcat8-java", pkgver:"8.0.32-1ubuntu1.6")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"tomcat8", pkgver:"8.0.32-1ubuntu1.6")) flag++;
    if (ubuntu_check(osver:"17.10", pkgname:"libtomcat8-java", pkgver:"8.5.21-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"17.10", pkgname:"tomcat8", pkgver:"8.5.21-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"libtomcat8-java", pkgver:"8.5.30-1ubuntu1.2")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"tomcat8", pkgver:"8.5.30-1ubuntu1.2")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtomcat7-java / libtomcat8-java / tomcat7 / tomcat8");
    }
    
  • NASL familyWeb Servers
    NASL idTOMCAT_7_0_85.NASL
    descriptionThe version of Apache Tomcat installed on the remote host is 7.0.x prior to 7.0.85. It is, therefore, affected by a security constraints flaw which could expose resources to unauthorized users.
    last seen2020-03-18
    modified2018-02-23
    plugin id106975
    published2018-02-23
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106975
    titleApache Tomcat 7.0.0 < 7.0.85 Security Constraint Weakness
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190806_TOMCAT_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) - tomcat: Late application of security constraints can lead to resource exposure for unauthorised users (CVE-2018-1305) - tomcat: Insecure defaults in CORS filter enable
    last seen2020-03-18
    modified2019-08-27
    plugin id128266
    published2019-08-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128266
    titleScientific Linux Security Update : tomcat on SL7.x x86_64 (20190806)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1450.NASL
    descriptionSeveral security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. CVE-2018-1304 The URL pattern of
    last seen2020-06-01
    modified2020-06-02
    plugin id111391
    published2018-07-30
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111391
    titleDebian DLA-1450-1 : tomcat8 security update
  • NASL familyWeb Servers
    NASL idTOMCAT_9_0_5.NASL
    descriptionThe version of Apache Tomcat installed on the remote host is 9.0.x prior to 9.0.5. It is, therefore, affected by a security constraints flaw which could expose resources to unauthorized users.
    last seen2020-03-18
    modified2018-02-23
    plugin id106978
    published2018-02-23
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106978
    titleApache Tomcat 9.0.0.M1 < 9.0.5 Insecure CGI Servlet Search Algorithm Description Weakness
  • NASL familyWeb Servers
    NASL idTOMCAT_8_5_28.NASL
    descriptionThe version of Apache Tomcat installed on the remote host is 8.5.x prior to 8.5.28. It is, therefore, affected by a security constraints flaw which could expose resources to unauthorized users.
    last seen2020-03-18
    modified2018-02-23
    plugin id106977
    published2018-02-23
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106977
    titleApache Tomcat 8.5.x < 8.5.28 Security Constraint Weakness
  • NASL familyMisc.
    NASL idORACLE_SECURE_GLOBAL_DESKTOP_JUL_2018_CPU.NASL
    descriptionThe version of Oracle Secure Global Desktop installed on the remote host is 5.3 / 5.4 and is missing a security patch from the July 2018 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities: - curl version curl 7.54.1 to and including curl 7.59.0 contains a Heap-based Buffer Overflow vulnerability in FTP connection closing down functionality which can lead to DoS and RCE conditions. This vulnerability appears to have been fixed in curl < 7.54.1 and curl >= 7.60.0. (CVE-2018-1000300) - Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. It was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to unauthorized users. (CVE-2018-1305) - ASN.1 types with a recursive definition could exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n). (CVE-2018-0739)
    last seen2020-06-01
    modified2020-06-02
    plugin id111333
    published2018-07-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111333
    titleOracle Secure Global Desktop Multiple Vulnerabilities (July 2018 CPU)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2020-1402.NASL
    descriptionThe host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. (CVE-2018-8034) The URL pattern of
    last seen2020-03-19
    modified2020-03-16
    plugin id134569
    published2020-03-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134569
    titleAmazon Linux 2 : tomcat (ALAS-2020-1402)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2361.NASL
    descriptionAccording to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The URL pattern of
    last seen2020-05-08
    modified2019-12-10
    plugin id131853
    published2019-12-10
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131853
    titleEulerOS 2.0 SP2 : tomcat (EulerOS-SA-2019-2361)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1992.NASL
    descriptionAccording to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The URL pattern of
    last seen2020-05-08
    modified2019-09-24
    plugin id129186
    published2019-09-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129186
    titleEulerOS 2.0 SP5 : tomcat (EulerOS-SA-2019-1992)
  • NASL familyWeb Servers
    NASL idTOMCAT_8_0_50.NASL
    descriptionThe version of Apache Tomcat installed on the remote host is 8.0.x prior to 8.0.50. It is, therefore, affected by a security constraints flaw which could expose resources to unauthorized users.
    last seen2020-03-18
    modified2018-02-23
    plugin id106976
    published2018-02-23
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106976
    titleApache Tomcat 8.0.0.RC1 < 8.0.50 Security Constraint Weakness
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2205.NASL
    descriptionAn update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * tomcat: Late application of security constraints can lead to resource exposure for unauthorised users (CVE-2018-1305) * tomcat: Insecure defaults in CORS filter enable
    last seen2020-06-01
    modified2020-06-02
    plugin id127697
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127697
    titleRHEL 7 : tomcat (RHSA-2019:2205)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-A233DAE4AB.NASL
    descriptionThis update includes a rebase from 8.0.49 up to 8.0.50 which resolves two CVEs along with various other bugs/features : - rhbz#1548290&#9;CVE-2018-1304 tomcat: Incorrect handling of empty string URL in security constraints can lead to unitended exposure of resources - rhbz#1548284 CVE-2018-1305 tomcat: Late application of security constraints can lead to resource exposure for unauthorised users Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-04-05
    plugin id108838
    published2018-04-05
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108838
    titleFedora 26 : 1:tomcat (2018-a233dae4ab)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-0466.NASL
    descriptionAn update is now available for Red Hat JBoss Web Server 3.1 for RHEL 6 and Red Hat JBoss Web Server 3.1 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 2 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * apr: Out-of-bounds array deref in apr_time_exp*() functions (CVE-2017-12613) * tomcat: Remote Code Execution via JSP Upload (CVE-2017-12615) * tomcat: Information Disclosure when using VirtualDirContext (CVE-2017-12616) * tomcat: Remote Code Execution bypass for CVE-2017-12615 (CVE-2017-12617) * tomcat-native: Mishandling of client certificates can allow for OCSP check bypass (CVE-2017-15698) * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * tomcat: Late application of security constraints can lead to resource exposure for unauthorised users (CVE-2018-1305) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id107208
    published2018-03-08
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107208
    titleRHEL 6 / 7 : Red Hat JBoss Web Server 3.1.0 Service Pack 2 (RHSA-2018:0466)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-2205.NASL
    descriptionAn update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * tomcat: Late application of security constraints can lead to resource exposure for unauthorised users (CVE-2018-1305) * tomcat: Insecure defaults in CORS filter enable
    last seen2020-06-01
    modified2020-06-02
    plugin id128376
    published2019-08-30
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128376
    titleCentOS 7 : tomcat (CESA-2019:2205)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2018-973.NASL
    descriptionIncorrect documentation of CGI Servlet search algorithm may lead to misconfiguration : As part of the fix for bug 61201, the documentation for Apache Tomcat included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected. (CVE-2017-15706) Late application of security constraints can lead to resource exposure for unauthorised users : Security constraints defined by annotations of Servlets in Apache Tomcat were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them. (CVE-2018-1305) Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources : The URL pattern of
    last seen2020-06-01
    modified2020-06-02
    plugin id108598
    published2018-03-27
    reporterThis script is Copyright (C) 2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/108598
    titleAmazon Linux AMI : tomcat80 (ALAS-2018-973)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2675.NASL
    descriptionAccording to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.(CVE-2018-1305) - The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.(CVE-2018-8034) - The URL pattern of
    last seen2020-05-08
    modified2019-12-18
    plugin id132210
    published2019-12-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132210
    titleEulerOS 2.0 SP3 : tomcat (EulerOS-SA-2019-2675)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-325.NASL
    descriptionThis update for tomcat fixes the following issues : Security issues fixed : - CVE-2018-1305: Fixed late application of security constraints that can lead to resource exposure for unauthorised users (bsc#1082481). - CVE-2018-1304: Fixed incorrect handling of empty string URL in security constraints that can lead to unitended exposure of resources (bsc#1082480). - CVE-2017-15706: Fixed incorrect documentation of CGI Servlet search algorithm that may lead to misconfiguration (bsc#1078677). This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen2020-06-05
    modified2018-03-30
    plugin id108742
    published2018-03-30
    reporterThis script is Copyright (C) 2018-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/108742
    titleopenSUSE Security Update : tomcat (openSUSE-2018-325)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4281.NASL
    descriptionSeveral issues were discovered in the Tomcat servlet and JSP engine. They could lead to unauthorized access to protected resources, denial-of-service, or information leak.
    last seen2020-06-01
    modified2020-06-02
    plugin id112185
    published2018-08-30
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112185
    titleDebian DSA-4281-1 : tomcat8 - security update
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2018-972.NASL
    descriptionLate application of security constraints can lead to resource exposure for unauthorised users : Security constraints defined by annotations of Servlets in Apache Tomcat were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them. (CVE-2018-1305) Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources : The URL pattern of
    last seen2020-06-01
    modified2020-06-02
    plugin id108597
    published2018-03-27
    reporterThis script is Copyright (C) 2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/108597
    titleAmazon Linux AMI : tomcat7 / tomcat8 (ALAS-2018-972)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_55C4233E184411E8A7120025908740C2.NASL
    descriptionThe Apache Software Foundation reports : Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them. The URL pattern of
    last seen2020-06-01
    modified2020-06-02
    plugin id107043
    published2018-02-28
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107043
    titleFreeBSD : tomcat -- Security constraints ignored or applied too late (55c4233e-1844-11e8-a712-0025908740c2)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1301.NASL
    descriptionTwo security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. CVE-2018-1304 The URL pattern of
    last seen2020-03-17
    modified2018-03-07
    plugin id107151
    published2018-03-07
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107151
    titleDebian DLA-1301-1 : tomcat7 security update

Redhat

advisories
  • rhsa
    idRHSA-2018:0465
  • rhsa
    idRHSA-2018:0466
  • rhsa
    idRHSA-2018:1320
  • rhsa
    idRHSA-2018:2939
  • rhsa
    idRHSA-2019:2205
rpms
  • mod_cluster-0:1.3.8-2.Final_redhat_2.1.ep7.el6
  • mod_cluster-0:1.3.8-2.Final_redhat_2.1.ep7.el7
  • mod_cluster-tomcat7-0:1.3.8-2.Final_redhat_2.1.ep7.el6
  • mod_cluster-tomcat7-0:1.3.8-2.Final_redhat_2.1.ep7.el7
  • mod_cluster-tomcat8-0:1.3.8-2.Final_redhat_2.1.ep7.el6
  • mod_cluster-tomcat8-0:1.3.8-2.Final_redhat_2.1.ep7.el7
  • tomcat-native-0:1.2.8-11.redhat_11.ep7.el6
  • tomcat-native-0:1.2.8-11.redhat_11.ep7.el7
  • tomcat-native-debuginfo-0:1.2.8-11.redhat_11.ep7.el6
  • tomcat-native-debuginfo-0:1.2.8-11.redhat_11.ep7.el7
  • tomcat-vault-0:1.1.6-1.Final_redhat_1.1.ep7.el6
  • tomcat-vault-0:1.1.6-1.Final_redhat_1.1.ep7.el7
  • tomcat-vault-tomcat7-0:1.1.6-1.Final_redhat_1.1.ep7.el6
  • tomcat-vault-tomcat7-0:1.1.6-1.Final_redhat_1.1.ep7.el7
  • tomcat-vault-tomcat8-0:1.1.6-1.Final_redhat_1.1.ep7.el6
  • tomcat-vault-tomcat8-0:1.1.6-1.Final_redhat_1.1.ep7.el7
  • tomcat7-0:7.0.70-25.ep7.el6
  • tomcat7-0:7.0.70-25.ep7.el7
  • tomcat7-admin-webapps-0:7.0.70-25.ep7.el6
  • tomcat7-admin-webapps-0:7.0.70-25.ep7.el7
  • tomcat7-docs-webapp-0:7.0.70-25.ep7.el6
  • tomcat7-docs-webapp-0:7.0.70-25.ep7.el7
  • tomcat7-el-2.2-api-0:7.0.70-25.ep7.el6
  • tomcat7-el-2.2-api-0:7.0.70-25.ep7.el7
  • tomcat7-javadoc-0:7.0.70-25.ep7.el6
  • tomcat7-javadoc-0:7.0.70-25.ep7.el7
  • tomcat7-jsp-2.2-api-0:7.0.70-25.ep7.el6
  • tomcat7-jsp-2.2-api-0:7.0.70-25.ep7.el7
  • tomcat7-jsvc-0:7.0.70-25.ep7.el6
  • tomcat7-jsvc-0:7.0.70-25.ep7.el7
  • tomcat7-lib-0:7.0.70-25.ep7.el6
  • tomcat7-lib-0:7.0.70-25.ep7.el7
  • tomcat7-log4j-0:7.0.70-25.ep7.el6
  • tomcat7-log4j-0:7.0.70-25.ep7.el7
  • tomcat7-selinux-0:7.0.70-25.ep7.el6
  • tomcat7-selinux-0:7.0.70-25.ep7.el7
  • tomcat7-servlet-3.0-api-0:7.0.70-25.ep7.el6
  • tomcat7-servlet-3.0-api-0:7.0.70-25.ep7.el7
  • tomcat7-webapps-0:7.0.70-25.ep7.el6
  • tomcat7-webapps-0:7.0.70-25.ep7.el7
  • tomcat8-0:8.0.36-29.ep7.el6
  • tomcat8-0:8.0.36-29.ep7.el7
  • tomcat8-admin-webapps-0:8.0.36-29.ep7.el6
  • tomcat8-admin-webapps-0:8.0.36-29.ep7.el7
  • tomcat8-docs-webapp-0:8.0.36-29.ep7.el6
  • tomcat8-docs-webapp-0:8.0.36-29.ep7.el7
  • tomcat8-el-2.2-api-0:8.0.36-29.ep7.el6
  • tomcat8-el-2.2-api-0:8.0.36-29.ep7.el7
  • tomcat8-javadoc-0:8.0.36-29.ep7.el6
  • tomcat8-javadoc-0:8.0.36-29.ep7.el7
  • tomcat8-jsp-2.3-api-0:8.0.36-29.ep7.el6
  • tomcat8-jsp-2.3-api-0:8.0.36-29.ep7.el7
  • tomcat8-jsvc-0:8.0.36-29.ep7.el6
  • tomcat8-jsvc-0:8.0.36-29.ep7.el7
  • tomcat8-lib-0:8.0.36-29.ep7.el6
  • tomcat8-lib-0:8.0.36-29.ep7.el7
  • tomcat8-log4j-0:8.0.36-29.ep7.el6
  • tomcat8-log4j-0:8.0.36-29.ep7.el7
  • tomcat8-selinux-0:8.0.36-29.ep7.el6
  • tomcat8-selinux-0:8.0.36-29.ep7.el7
  • tomcat8-servlet-3.1-api-0:8.0.36-29.ep7.el6
  • tomcat8-servlet-3.1-api-0:8.0.36-29.ep7.el7
  • tomcat8-webapps-0:8.0.36-29.ep7.el6
  • tomcat8-webapps-0:8.0.36-29.ep7.el7
  • tomcat-0:7.0.76-9.el7
  • tomcat-admin-webapps-0:7.0.76-9.el7
  • tomcat-docs-webapp-0:7.0.76-9.el7
  • tomcat-el-2.2-api-0:7.0.76-9.el7
  • tomcat-javadoc-0:7.0.76-9.el7
  • tomcat-jsp-2.2-api-0:7.0.76-9.el7
  • tomcat-jsvc-0:7.0.76-9.el7
  • tomcat-lib-0:7.0.76-9.el7
  • tomcat-servlet-3.0-api-0:7.0.76-9.el7
  • tomcat-webapps-0:7.0.76-9.el7

Seebug

bulletinFamilyexploit
description### Vendor: The Apache Software Foundation ### Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.4 Apache Tomcat 8.5.0 to 8.5.27 Apache Tomcat 8.0.0.RC1 to 8.0.49 Apache Tomcat 7.0.0 to 7.0.84 ### Description: Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them. ### Mitigation: Users of the affected versions should apply one of the following mitigations. Upgrade to: - Apache Tomcat 9.0.5 or later - Apache Tomcat 8.5.28 or later - Apache Tomcat 8.0.50 or later - Apache Tomcat 7.0.85 or later
idSSV:97149
last seen2018-02-27
modified2018-02-27
published2018-02-27
reporterRoot
titleApache Tomcat Security Bypass Vulnerability(CVE-2018-1305)

References