View at Official suse advisory, NVD, CVE.org · CVE detail
Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.
CVE-2018-1304 severity moderate: SUSE including 64 source package names (tomcat-7.0.76-9.el7, tomcat-7.0.90-7.23.1, …), 151 product×package rows across 18 product lines (SUSE Liberty Linux 7, SUSE Linux Enterprise High Performance Computing 12 SP5, … (18 product lines)): Fixed 150, Known Not Affected 1.
The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.