Access Restriction Bypass Affecting org.apache.tomcat.embed:tomcat-embed-core Open this link in a new tab package, versions [7.0.0,7.0.85) [8.0.0.RC1,8.0.50) [8.5.0,8.5.28) [9.0.0.M1,9.0.5)
Do your applications use this vulnerable package?
5 Mar 2018
23 Feb 2018
How to fix?
org.apache.tomcat.embed:tomcat-embed-core to version 7.0.85, 8.0.50, 8.5.28, 9.0.5 or higher.
org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.
Affected versions of this package are vulnerable to Access Restriction Bypass. The URL pattern of (the empty string) which exactly maps to the context root was not correctly handled, this caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.