CVE-2018-1305 in Instant Messaging Serverinfo

Summary

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Reservation

12/07/2017

Disclosure

02/23/2018

Status

Confirmed

Entries

VulDB provides additional information and datapoints for this CVE:

ID	Vulnerability	CWE	Exp	Cou	CVE
137895	Oracle Instant Messaging Server Apache Tika access control	284	Not defined	Official fix	CVE-2018-1305
133733	Oracle MICROS Relate CRM Software Internal Operations information disclosure	200	Not defined	Official fix	CVE-2018-1305
133618	Oracle Managed File Transfer MFT Runtime Server information disclosure	200	Not defined	Official fix	CVE-2018-1305
133617	Oracle FMW Platform Provisioning information disclosure	200	Not defined	Official fix	CVE-2018-1305
125649	Oracle Transportation Management Install access control	284	Not defined	Official fix	CVE-2018-1305
125648	Oracle Agile PLM Folders/Files / Attachments access control	284	Not defined	Official fix	CVE-2018-1305
125647	Oracle Agile Engineering Data Management Install (Apache Tomcat) access control	284	Not defined	Official fix	CVE-2018-1305
125625	Oracle Siebel CRM Marketing Apps access control	284	Not defined	Official fix	CVE-2018-1305
125623	Oracle Retail Order Broker Upgrade Install access control	284	Not defined	Official fix	CVE-2018-1305
125622	Oracle MICROS XBRi Retail access control	284	Not defined	Official fix	CVE-2018-1305
125494	Oracle Hospitality Guest Access Apache Tomcat access control	284	Not defined	Official fix	CVE-2018-1305
125474	Oracle WebCenter Sites Advanced UI access control	284	Not defined	Official fix	CVE-2018-1305
125391	Oracle Construction/Engineering Suite Instantis EnterpriseTrack access control	284	Not defined	Official fix	CVE-2018-1305
121896	Oracle Secure Global Desktop Application Server access control	284	Not defined	Official fix	CVE-2018-1305
113747	Apache Tomcat Servlets access control	284	Not defined	Official fix	CVE-2018-1305

Description

CPE

CWE

CVSS

Exploits

History

Diff

Relate

Threat Intelligence

API JSON

API XML

API CSV

Sources

◂ PreviousOverviewNext ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!