Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 556
Alerts This Week
Warning Icon 1 556

Debian 7 DLA-1301-1 Critical Tomcat7 Access Control Issues

debian lts
Calendar Grey March 6, 2018
Dist Debian Esm H88
Tomcat 9 patch rectifies significant vulnerabilities revealing unapproved entry due to defects in access controls.
Two security vulnerabilities have been discovered in the Tomcat servlet and JSP engine

Summary

CVE-2018-1305
Security constraints defined by annotations of Servlets in Apache
Tomcat were only applied once a Servlet had been loaded. Because
security constraints defined in this way apply to the URL pattern
and any URLs below that point, it was possible - depending on the
order Servlets were loaded - for some security constraints not to be
applied. This could have exposed resources to users who were not
authorized to access them.

For Debian 7 "Wheezy", these problems have been fixed in version
7.0.28-4+deb7u18.

We recommend that you upgrade your tomcat7 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Severity
critical
Lowest
Low
Medium
High
Critical

Package: tomcat7
Version: 7.0.28-4+deb7u18
CVE ID: CVE-2018-1304 CVE-2018-1305

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.