oss-sec mailing list archives

Re: Fwd: [SECURITY] CVE-2018-1304 Security constraints mapped to context root are ignored

From: Doran Moppert <dmoppert () redhat com>
Date: Fri, 23 Feb 2018 14:59:49 +1030

On Feb 23 2018, Mark Thomas wrote:

CVE-2018-1304 Security constraints mapped to context root are ignored

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Review security constraints and confirm none use a URL patten of ""
  (the empty string)


Will a URL pattern of "/" correctly protect the context root of
vulnerable versions?  If so, this seems worth mentioning.

-- 
Doran Moppert
Red Hat Product Security

Attachment: _bin
Description:

Current thread:

Fwd: [SECURITY] CVE-2018-1304 Security constraints mapped to context root are ignored Mark Thomas (Feb 22)
- Re: Fwd: [SECURITY] CVE-2018-1304 Security constraints mapped to context root are ignored Doran Moppert (Feb 22)
  - Re: Fwd: [SECURITY] CVE-2018-1304 Security constraints mapped to context root are ignored Mark Thomas (Feb 23)