CVE-2018-1304
Security Bypass vulnerability in tomcat-embed-core (Maven)
What is CVE-2018-1304 About?
This vulnerability in Apache Tomcat allows for a security bypass, enabling unauthorized users to access protected web application resources. The issue arises from the incorrect handling of an empty string URL pattern in security constraint definitions. Exploitation is relatively straightforward for an attacker who knows the affected URL pattern.
Affected Software
- org.apache.tomcat.embed:tomcat-embed-core
- >7.0.0, <7.0.86
- >8.0.0, <8.0.51
- >8.5.0, <8.5.28
- >9.0.0, <9.0.5
Technical Details
The vulnerability exists in Apache Tomcat versions 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49, and 7.0.0 to 7.0.84. Specifically, when a security constraint is defined with a URL pattern of an empty string (''), which signifies the context root, Tomcat fails to correctly apply this constraint. This misinterpretation causes the security restriction to be ignored for resources that should be protected by this specific empty string pattern. Consequently, unauthorized users can bypass the intended access controls and gain access to these otherwise restricted web application resources.
What is the Impact of CVE-2018-1304?
Successful exploitation may allow attackers to bypass security restrictions, gain unauthorized access to sensitive information, or perform actions that should be restricted.
What is the Exploitability of CVE-2018-1304?
Exploitation requires an attacker to attempt to access a resource that is supposed to be protected by a security constraint with an empty string URL pattern. The attack is low complexity, as it involves a direct request to a URL that should be protected. No prior authentication is needed if the resource is meant to be protected from unauthenticated access, otherwise, a valid user account might be necessary if the bypass affects authenticated-only restrictions. No special privileges are required. This is a remote vulnerability, and the attacker only needs network access to the Tomcat instance. The key condition for exploitability is the existence of a security constraint configured with the specific empty string URL pattern.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| knqyf263 | Link | PoC for CVE-2018-1304 |
| thariyarox | Link | PoC for CVE-2018-1304 |
What are the Available Fixes for CVE-2018-1304?
About the Fix from Resolved Security
The patch ensures that a security constraint with an empty string ("") URL pattern is correctly interpreted as applying to the context root ("/"), preventing an authorization bypass. This fixes CVE-2018-1304 by making sure security constraints intended for the application's root are enforced, even if defined with an empty pattern.
Available Upgrade Options
- org.apache.tomcat.embed:tomcat-embed-core
- >7.0.0, <7.0.86 → Upgrade to 7.0.86
- org.apache.tomcat.embed:tomcat-embed-core
- >8.0.0, <8.0.51 → Upgrade to 8.0.51
- org.apache.tomcat.embed:tomcat-embed-core
- >8.5.0, <8.5.28 → Upgrade to 8.5.28
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0, <9.0.5 → Upgrade to 9.0.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html
What are Similar Vulnerabilities to CVE-2018-1304?
Similar Vulnerabilities: CVE-2020-1938 , CVE-2019-0232 , CVE-2019-0221 , CVE-2018-8037 , CVE-2018-8014
