- Home
- CVEs with nessus.description==Late application of security constraints can lead to resource exposure
for unauthorised users :
Security constraints defined by annotations of Servlets in Apache
Tomcat were only applied once a Servlet had been loaded. Because
security constraints defined in this way apply to the URL pattern and
any URLs below that point, it was possible - depending on the order
Servlets were loaded - for some security constraints not to be
applied. This could have exposed resources to users who were not
authorised to access them. (CVE-2018-1305)
Incorrect handling of empty string URL in security constraints can
lead to unintended exposure of resources :
The URL pattern of '' (the empty string) which exactly maps to the
context root was not correctly handled in Apache Tomcat when used as
part of a security constraint definition. This caused the constraint
to be ignored. It was, therefore, possible for unauthorised users to
gain access to web application resources that should have been
protected. Only security constraints with a URL pattern of the empty
string were affected. (CVE-2018-1304)
Max CVSS | 0 |
Min CVSS | 0 |
Total Count | 2 |
| ID | CVSS | Summary | Last (major) update | Published |
Back to Top
Mark selected
Back to Top