CVE-2018-1304

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

References

Affected packages

Git / git.samba.org/rsync.git/

Affected ranges

Type: GIT
Repo: https://git.samba.org/rsync.git/
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

4cb6197b21d9860736c8e6d81b8eb8cac53beb5a

Affected versions

Other

mbp_bk_export0

v1.*

v1.6.4

v1.6.5

v1.6.6

v1.6.7

v1.6.8

v1.6.9

v1.7.0

v1.7.1

v1.7.2

v1.7.3

v1.7.4

v2.*

v2.0.0

v2.0.1

v2.0.10

v2.0.11

v2.0.12

v2.0.13

v2.0.14

v2.0.15

v2.0.16

v2.0.17

v2.0.18

v2.0.19

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.0.8

v2.0.9

v2.1.0

v2.1.1

v2.2.0

v2.2.1

v2.3.0

v2.3.1

v2.3.2

v2.4.0

v2.4.1

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7pre2

v2.4.7pre4

v2.5.0

v2.5.1

v2.5.1pre1

v2.5.1pre2

v2.5.1pre3

v2.5.2

v2.5.2pre1

v2.5.2pre2

v2.5.2pre3

v2.5.3

v2.5.3pre1

v2.5.4

v2.5.4pre1

v2.5.5

v2.5.5.rc1

v2.5.6

v2.6.0

v2.6.0pre1

v2.6.0pre2

v2.6.1

v2.6.1pre1

v2.6.1pre2

v2.6.2

v2.6.2pre1

v2.6.3

v2.6.3pre1

v2.6.3pre2

v2.6.4

v2.6.4pre1

v2.6.4pre2

v2.6.4pre3

v2.6.4pre4

v2.6.5

v2.6.5pre1

v2.6.5pre2

v2.6.6pre1

v2.6.7

v2.6.7pre1

v2.6.7pre2

v2.6.7pre3

v2.6.8

v2.6.8pre1

v2.6.9

v2.6.9pre1

v2.6.9pre2

v2.6.9pre3

v3.*

v3.0.0

v3.0.0pre1

v3.0.0pre10

v3.0.0pre2

v3.0.0pre3

v3.0.0pre4

v3.0.0pre5

v3.0.0pre6

v3.0.0pre7

v3.0.0pre8

v3.0.0pre9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1304.json"