- Home
- CVEs with nessus.description==Incorrect documentation of CGI Servlet search algorithm may lead to
misconfiguration :
As part of the fix for bug 61201, the documentation for Apache Tomcat
included an updated description of the search algorithm used by the
CGI Servlet to identify which script to execute. The update was not
correct. As a result, some scripts may have failed to execute as
expected and other scripts may have been executed unexpectedly. Note
that the behaviour of the CGI servlet has remained unchanged in this
regard. It is only the documentation of the behaviour that was wrong
and has been corrected. (CVE-2017-15706)
Late application of security constraints can lead to resource exposure
for unauthorised users :
Security constraints defined by annotations of Servlets in Apache
Tomcat were only applied once a Servlet had been loaded. Because
security constraints defined in this way apply to the URL pattern and
any URLs below that point, it was possible - depending on the order
Servlets were loaded - for some security constraints not to be
applied. This could have exposed resources to users who were not
authorised to access them. (CVE-2018-1305)
Incorrect handling of empty string URL in security constraints can
lead to unintended exposure of resources :
The URL pattern of '' (the empty string) which exactly maps to the
context root was not correctly handled in Apache Tomcat when used as
part of a security constraint definition. This caused the constraint
to be ignored. It was, therefore, possible for unauthorised users to
gain access to web application resources that should have been
protected. Only security constraints with a URL pattern of the empty
string were affected. (CVE-2018-1304)
Max CVSS | 0 |
Min CVSS | 0 |
Total Count | 2 |
| ID | CVSS | Summary | Last (major) update | Published |
Back to Top
Mark selected
Back to Top