{
  "threat_severity" : "Moderate",
  "public_date" : "2018-02-23T00:00:00Z",
  "bugzilla" : {
    "description" : "tomcat: Late application of security constraints can lead to resource exposure for unauthorised users",
    "id" : "1548282",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1548282"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.8",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-284",
  "details" : [ "Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2019-08-06T00:00:00Z",
    "advisory" : "RHSA-2019:2205",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "tomcat-0:7.0.76-9.el7"
  }, {
    "product_name" : "Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R8",
    "release_date" : "2018-10-17T00:00:00Z",
    "advisory" : "RHSA-2018:2939",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6.3"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3.1",
    "release_date" : "2018-03-07T00:00:00Z",
    "advisory" : "RHSA-2018:0465",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2018-03-07T00:00:00Z",
    "advisory" : "RHSA-2018:0466",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "mod_cluster-0:1.3.8-2.Final_redhat_2.1.ep7.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2018-03-07T00:00:00Z",
    "advisory" : "RHSA-2018:0466",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "tomcat7-0:7.0.70-25.ep7.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2018-03-07T00:00:00Z",
    "advisory" : "RHSA-2018:0466",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "tomcat8-0:8.0.36-29.ep7.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2018-03-07T00:00:00Z",
    "advisory" : "RHSA-2018:0466",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "tomcat-native-0:1.2.8-11.redhat_11.ep7.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2018-03-07T00:00:00Z",
    "advisory" : "RHSA-2018:0466",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "tomcat-vault-0:1.1.6-1.Final_redhat_1.1.ep7.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2018-03-07T00:00:00Z",
    "advisory" : "RHSA-2018:0466",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "mod_cluster-0:1.3.8-2.Final_redhat_2.1.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2018-03-07T00:00:00Z",
    "advisory" : "RHSA-2018:0466",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "tomcat7-0:7.0.70-25.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2018-03-07T00:00:00Z",
    "advisory" : "RHSA-2018:0466",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "tomcat8-0:8.0.36-29.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2018-03-07T00:00:00Z",
    "advisory" : "RHSA-2018:0466",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "tomcat-native-0:1.2.8-11.redhat_11.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2018-03-07T00:00:00Z",
    "advisory" : "RHSA-2018:0466",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "tomcat-vault-0:1.1.6-1.Final_redhat_1.1.ep7.el7"
  }, {
    "product_name" : "Red Hat Openshift Application Runtimes",
    "release_date" : "2018-05-03T00:00:00Z",
    "advisory" : "RHSA-2018:1320",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "tomcat5",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "tomcat6",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "pki-deps:10.6/pki-servlet-container",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat JBoss Data Grid 6",
    "fix_state" : "Not affected",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:6"
  }, {
    "product_name" : "Red Hat JBoss Data Virtualization 6",
    "fix_state" : "Not affected",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Not affected",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2",
    "fix_state" : "Not affected",
    "package_name" : "tomcat6",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2",
    "fix_state" : "Will not fix",
    "package_name" : "tomcat7",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Not affected",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Not affected",
    "package_name" : "karaf",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse Integration Service 2",
    "fix_state" : "Affected",
    "package_name" : "tomcat8",
    "cpe" : "cpe:/a:redhat:fuse_integration_services:2"
  }, {
    "product_name" : "Red Hat JBoss Operations Network 3",
    "fix_state" : "Not affected",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_operations_network:3"
  }, {
    "product_name" : "Red Hat JBoss Portal 6",
    "fix_state" : "Will not fix",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:6"
  }, {
    "product_name" : "Red Hat OpenShift Application Runtimes",
    "fix_state" : "Affected",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Not affected",
    "package_name" : "rh-java-common-tomcat",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-1305\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1305\nhttps://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.85\nhttps://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.50\nhttps://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.28" ],
  "name" : "CVE-2018-1305",
  "csaw" : false
}