suse · CVE-2018-1304

Quick triage

Priority: medium Published: 2021-05-30 14:07:04 UTC Updated: 2025-11-05 03:41:20 UTC

View at Official suse advisory, NVD, CVE.org · CVE detail

Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.

Tracker summary

CVE-2018-1304 severity moderate: SUSE including 64 source package names (tomcat-7.0.76-9.el7, tomcat-7.0.90-7.23.1, …), 151 product×package rows across 18 product lines (SUSE Liberty Linux 7, SUSE Linux Enterprise High Performance Computing 12 SP5, … (18 product lines)): Fixed 150, Known Not Affected 1.

Description:

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

cvelogic Threat Intelligence