Hi All,

Thanks for all the help and work you great people do.

 My question is regarding CVE-2018-1305
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1305> and
CVE-2018-1304 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1304>
were fixed in the latest builds.
We use Tomcat 7.x.

a) When can we expect the CVE scores determined for these vulnerabilities.
On NVD, it still says awaiting analysis.
This information would help us determine the SLA on when we can update
tomcat builds.

b) Regarding 1st CVE (#1305), we do not use annotation based security
constraints. Instead we configure it in our web.xml.
With this understanding, is it safe to consider we are not vulnerable?

c) Regarding 2nd CVE (#1304), the url pattern in all our security
constraints is of the format "/*".
* i believe would include everything.
To confirm with you, does this include the empty ("") string to make our
usage vulnerable too?

Harish Krishnan

Reply via email to