{"id":"CVE-2018-1304","details":"The URL pattern of \"\" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.","aliases":["GHSA-6rxj-58jh-436r"],"modified":"2026-04-02T00:39:53.656345Z","published":"2018-02-28T20:29:00.227Z","related":["MGASA-2018-0149","SUSE-SU-2018:0817-1","SUSE-SU-2018:1847-1","SUSE-SU-2018:3261-1","SUSE-SU-2018:3388-1"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"type":"WEB","url":"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb%40%3Cannounce.tomcat.apache.org%3E"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0465"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:1450"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2939"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1040427"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:1447"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0466"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4281"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/103170"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:1451"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3665-1/"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:1448"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:2205"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html"},{"type":"ADVISORY","url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:1320"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:1449"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html"},{"type":"REPORT","url":"https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html"},{"type":"FIX","url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"},{"type":"FIX","url":"https://security.netapp.com/advisory/ntap-20180706-0001/"},{"type":"FIX","url":"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"},{"type":"FIX","url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/tomcat","events":[{"introduced":"e498667bd7811e846771a852b16ce9f1e524b81b"},{"last_affected":"3c2d9937c285b0b2ef02d02d703bc64f00a2c5b7"},{"introduced":"e37b977db6f47e4380ad67114a49e8568951c953"},{"last_affected":"d4e9735adc0819314811c134d7899adcdb0f629e"},{"introduced":"16bf392c67833ad549733b58c350ff92b5ee782a"},{"last_affected":"f496ba0669fcdc034683aab80e627de5aee50b8e"},{"introduced":"0"},{"last_affected":"29b07def810d335012e738b22ab44d4e232b50d1"},{"introduced":"0"},{"last_affected":"10e04de1946981261a734507f4a6d953e2a206fe"},{"introduced":"0"},{"last_affected":"65ddc3a3872ea41ca67fec7b6834c704b6893361"},{"introduced":"0"},{"last_affected":"b5a74e3c7913c560648f0ffedfbbb3ebe4318def"},{"introduced":"0"},{"last_affected":"de128d72af746184e035ff1b53629f08cb141a04"},{"introduced":"0"},{"last_affected":"aac670afe1226e10513021100fce8a12344743c6"},{"introduced":"0"},{"last_affected":"c2c8107f0cea4755497a85990807b883b66f6b57"},{"introduced":"0"},{"last_affected":"8c48678b110f3fbbe66f6dde0e45d2578fa92c29"},{"introduced":"0"},{"last_affected":"9c5edb840d9413c1408e7c191bc0e1bbfcd9e07f"},{"introduced":"0"},{"last_affected":"59e713216cf2256aacc54f6ba627865f356f9e4e"},{"introduced":"0"},{"last_affected":"7dc5e29fe49850102261badf158752d6865311e4"},{"introduced":"0"},{"last_affected":"18b014d8691909be6153ae7db022a6c35f9c93ea"},{"introduced":"0"},{"last_affected":"600dc8ba5d9be7599d29bff83c342213d93b034e"},{"introduced":"0"},{"last_affected":"3bd48aab236e5bf0ed1644e9f0c588fd20e503ab"},{"introduced":"0"},{"last_affected":"642d3dd4d50ea1f03f9827962e4fc982a123bb78"},{"introduced":"0"},{"last_affected":"24566c02fb917a6ca1b6479a60971b0d8acd895c"},{"introduced":"0"},{"last_affected":"cac0e029dcced854eeca7444710e78e412dc2c2a"},{"introduced":"0"},{"last_affected":"c5efed313de1a181f4f9f98f5023117f3b911257"},{"introduced":"0"},{"last_affected":"ab04166fac59fcf9b3be3aab1c8b896842782d4c"},{"introduced":"0"},{"last_affected":"35071e7e52f296b9187b054b0efd74121b7db3bd"},{"introduced":"0"},{"last_affected":"d1dc05e934e089ea8907998cf850760017a0ed82"},{"introduced":"0"},{"last_affected":"fd7f13635e6855f6ba3fead0bf37ba2fbf8b68cf"},{"introduced":"0"},{"last_affected":"c7b84102600d600bcc527560d9c4d10c3fd440ab"},{"introduced":"0"},{"last_affected":"d8ebf61e51b4455e3c226751e492a533f9002d48"},{"introduced":"0"},{"last_affected":"aba238718ac9b149d25feaa9a14ecad3b0e3a5e2"},{"introduced":"0"},{"last_affected":"fe854ab1f111396458d98fa2ab08c693ce9407e1"},{"introduced":"0"},{"last_affected":"45f8fd74cdb96490fab8709263a4d862f0d429cf"},{"introduced":"0"},{"last_affected":"e498667bd7811e846771a852b16ce9f1e524b81b"},{"introduced":"0"},{"last_affected":"16bf392c67833ad549733b58c350ff92b5ee782a"}],"database_specific":{"versions":[{"introduced":"7.0.0"},{"last_affected":"7.0.84"},{"introduced":"8.5.0"},{"last_affected":"8.5.27"},{"introduced":"9.0.0"},{"last_affected":"9.0.4"},{"introduced":"0"},{"last_affected":"9.0.0-milestone1"},{"introduced":"0"},{"last_affected":"9.0.0-milestone10"},{"introduced":"0"},{"last_affected":"9.0.0-milestone11"},{"introduced":"0"},{"last_affected":"9.0.0-milestone12"},{"introduced":"0"},{"last_affected":"9.0.0-milestone13"},{"introduced":"0"},{"last_affected":"9.0.0-milestone14"},{"introduced":"0"},{"last_affected":"9.0.0-milestone15"},{"introduced":"0"},{"last_affected":"9.0.0-milestone16"},{"introduced":"0"},{"last_affected":"9.0.0-milestone17"},{"introduced":"0"},{"last_affected":"9.0.0-milestone18"},{"introduced":"0"},{"last_affected":"9.0.0-milestone19"},{"introduced":"0"},{"last_affected":"9.0.0-milestone2"},{"introduced":"0"},{"last_affected":"9.0.0-milestone20"},{"introduced":"0"},{"last_affected":"9.0.0-milestone21"},{"introduced":"0"},{"last_affected":"9.0.0-milestone22"},{"introduced":"0"},{"last_affected":"9.0.0-milestone23"},{"introduced":"0"},{"last_affected":"9.0.0-milestone24"},{"introduced":"0"},{"last_affected":"9.0.0-milestone25"},{"introduced":"0"},{"last_affected":"9.0.0-milestone26"},{"introduced":"0"},{"last_affected":"9.0.0-milestone27"},{"introduced":"0"},{"last_affected":"9.0.0-milestone3"},{"introduced":"0"},{"last_affected":"9.0.0-milestone4"},{"introduced":"0"},{"last_affected":"9.0.0-milestone5"},{"introduced":"0"},{"last_affected":"9.0.0-milestone6"},{"introduced":"0"},{"last_affected":"9.0.0-milestone7"},{"introduced":"0"},{"last_affected":"9.0.0-milestone8"},{"introduced":"0"},{"last_affected":"9.0.0-milestone9"},{"introduced":"0"},{"last_affected":"7.0"},{"introduced":"0"},{"last_affected":"9.0"}]}}],"versions":["10.0.0","10.0.0-M1","10.0.0-M10","10.0.0-M2","10.0.0-M3","10.0.0-M4","10.0.0-M5","10.0.0-M6","10.0.0-M7","10.0.0-M8","10.0.0-M9","10.0.0.0-M1","10.0.1","10.0.10","10.0.11","10.0.12","10.0.13","10.0.14","10.0.15","10.0.16","10.0.17","10.0.18","10.0.19","10.0.2","10.0.20","10.0.21","10.0.22","10.0.23","10.0.24","10.0.25","10.0.26","10.0.27","10.0.3","10.0.4","10.0.5","10.0.6","10.0.7","10.0.8","10.0.9","10.1.0","10.1.0-M1","10.1.0-M10","10.1.0-M11","10.1.0-M12","10.1.0-M13","10.1.0-M14","10.1.0-M15","10.1.0-M16","10.1.0-M17","10.1.0-M18","10.1.0-M19","10.1.0-M2","10.1.0-M20","10.1.0-M3","10.1.0-M4","10.1.0-M5","10.1.0-M6","10.1.0-M7","10.1.0-M8","10.1.0-M9","10.1.1","10.1.10","10.1.11","10.1.12","10.1.13","10.1.14","10.1.15","10.1.16","10.1.17","10.1.18","10.1.19","10.1.2","10.1.20","10.1.22","10.1.23","10.1.24","10.1.25","10.1.26","10.1.27","10.1.28","10.1.29","10.1.3","10.1.30","10.1.31","10.1.32","10.1.33","10.1.34","10.1.35","10.1.36","10.1.37","10.1.38","10.1.39","10.1.4","10.1.40","10.1.41","10.1.42","10.1.43","10.1.44","10.1.45","10.1.46","10.1.47","10.1.48","10.1.49","10.1.5","10.1.50","10.1.51","10.1.52","10.1.6","10.1.7","10.1.8","10.1.9","11.0.0","11.0.0-M1","11.0.0-M10","11.0.0-M11","11.0.0-M12","11.0.0-M13","11.0.0-M14","11.0.0-M15","11.0.0-M16","11.0.0-M17","11.0.0-M18","11.0.0-M19","11.0.0-M2","11.0.0-M20","11.0.0-M21","11.0.0-M22","11.0.0-M23","11.0.0-M24","11.0.0-M25","11.0.0-M26","11.0.0-M3","11.0.0-M4","11.0.0-M5","11.0.0-M6","11.0.0-M7","11.0.0-M8","11.0.0-M9","11.0.1","11.0.10","11.0.11","11.0.12","11.0.13","11.0.14","11.0.15","11.0.16","11.0.17","11.0.18","11.0.2","11.0.3","11.0.4","11.0.5","11.0.6","11.0.7","11.0.8","11.0.9","7.0.0","7.0.0-RC1","7.0.0-RC2","7.0.0-RC3","7.0.0-RC4","7.0.1","7.0.10","7.0.100","7.0.101","7.0.102","7.0.103","7.0.104","7.0.105","7.0.106","7.0.107","7.0.108","7.0.109","7.0.11","7.0.12","7.0.13","7.0.14","7.0.15","7.0.16","7.0.17","7.0.18","7.0.19","7.0.2","7.0.20","7.0.21","7.0.22","7.0.23","7.0.24","7.0.25","7.0.26","7.0.27","7.0.28","7.0.29","7.0.3","7.0.30","7.0.31","7.0.32","7.0.33","7.0.34","7.0.35","7.0.36","7.0.37","7.0.38","7.0.39","7.0.4","7.0.40","7.0.41","7.0.42","7.0.43","7.0.44","7.0.45","7.0.46","7.0.47","7.0.48","7.0.49","7.0.5","7.0.50","7.0.51","7.0.52","7.0.53","7.0.54","7.0.55","7.0.56","7.0.57","7.0.58","7.0.59","7.0.6","7.0.60","7.0.61","7.0.62","7.0.63","7.0.64","7.0.65","7.0.66","7.0.67","7.0.68","7.0.69","7.0.7","7.0.70","7.0.71","7.0.72","7.0.73","7.0.74","7.0.75","7.0.76","7.0.77","7.0.78","7.0.79","7.0.8","7.0.80","7.0.81","7.0.82","7.0.83","7.0.84","7.0.85","7.0.86","7.0.87","7.0.88","7.0.89","7.0.9","7.0.90","7.0.91","7.0.92","7.0.93","7.0.94","7.0.95","7.0.96","7.0.97","7.0.98","7.0.99","8.5.0","8.5.1","8.5.10","8.5.100","8.5.11","8.5.12","8.5.13","8.5.14","8.5.15","8.5.16","8.5.17","8.5.18","8.5.19","8.5.2","8.5.20","8.5.21","8.5.22","8.5.23","8.5.24","8.5.25","8.5.26","8.5.27","8.5.28","8.5.29","8.5.3","8.5.30","8.5.31","8.5.32","8.5.33","8.5.34","8.5.35","8.5.36","8.5.37","8.5.38","8.5.39","8.5.4","8.5.40","8.5.41","8.5.42","8.5.43","8.5.44","8.5.45","8.5.46","8.5.47","8.5.48","8.5.49","8.5.5","8.5.50","8.5.51","8.5.52","8.5.53","8.5.54","8.5.55","8.5.56","8.5.57","8.5.58","8.5.59","8.5.6","8.5.60","8.5.61","8.5.62","8.5.63","8.5.64","8.5.65","8.5.66","8.5.67","8.5.68","8.5.69","8.5.7","8.5.70","8.5.71","8.5.72","8.5.73","8.5.74","8.5.75","8.5.76","8.5.77","8.5.78","8.5.79","8.5.8","8.5.80","8.5.81","8.5.82","8.5.83","8.5.84","8.5.85","8.5.86","8.5.87","8.5.88","8.5.89","8.5.9","8.5.90","8.5.91","8.5.92","8.5.93","8.5.94","8.5.95","8.5.96","8.5.97","8.5.98","8.5.99","9.0.0","9.0.0-M1","9.0.0-M10","9.0.0-M11","9.0.0-M12","9.0.0-M13","9.0.0-M14","9.0.0-M15","9.0.0-M16","9.0.0-M17","9.0.0-M18","9.0.0-M19","9.0.0-M2","9.0.0-M20","9.0.0-M21","9.0.0-M22","9.0.0-M23","9.0.0-M24","9.0.0-M25","9.0.0-M26","9.0.0-M27","9.0.0-M3","9.0.0-M4","9.0.0-M5","9.0.0-M6","9.0.0-M7","9.0.0-M8","9.0.0-M9","9.0.1","9.0.10","9.0.100","9.0.101","9.0.102","9.0.103","9.0.104","9.0.105","9.0.106","9.0.107","9.0.108","9.0.109","9.0.11","9.0.110","9.0.111","9.0.112","9.0.113","9.0.114","9.0.115","9.0.12","9.0.13","9.0.14","9.0.15","9.0.16","9.0.17","9.0.18","9.0.19","9.0.2","9.0.20","9.0.21","9.0.22","9.0.23","9.0.24","9.0.25","9.0.26","9.0.27","9.0.28","9.0.29","9.0.3","9.0.30","9.0.31","9.0.32","9.0.33","9.0.34","9.0.35","9.0.36","9.0.37","9.0.38","9.0.39","9.0.4","9.0.40","9.0.41","9.0.42","9.0.43","9.0.44","9.0.45","9.0.46","9.0.47","9.0.48","9.0.49","9.0.5","9.0.50","9.0.51","9.0.52","9.0.53","9.0.54","9.0.55","9.0.56","9.0.57","9.0.58","9.0.59","9.0.6","9.0.60","9.0.61","9.0.62","9.0.63","9.0.64","9.0.65","9.0.66","9.0.67","9.0.68","9.0.69","9.0.7","9.0.70","9.0.71","9.0.72","9.0.73","9.0.74","9.0.75","9.0.76","9.0.77","9.0.78","9.0.79","9.0.8","9.0.80","9.0.81","9.0.82","9.0.83","9.0.84","9.0.85","9.0.86","9.0.87","9.0.88","9.0.89","9.0.9","9.0.90","9.0.91","9.0.92","9.0.93","9.0.94","9.0.95","9.0.96","9.0.97","9.0.98","9.0.99"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1304.json","unresolved_ranges":[{"events":[{"introduced":"8.0.0"},{"last_affected":"8.0.49"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.0-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"6"}]},{"events":[{"introduced":"0"},{"last_affected":"6.4"}]},{"events":[{"introduced":"0"},{"last_affected":"3.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"17.10"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.2.1"}]},{"events":[{"introduced":"0"},{"last_affected":"11.4"}]},{"events":[{"introduced":"0"},{"last_affected":"5.3"}]},{"events":[{"introduced":"0"},{"last_affected":"5.4"}]},{"events":[{"introduced":"0"},{"last_affected":"1"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}