Hi All, Thanks for all the help and work you great people do.
My question is regarding CVE-2018-1305 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1305> and CVE-2018-1304 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1304> that were fixed in the latest builds. We use Tomcat 7.x. a) When can we expect the CVE scores determined for these vulnerabilities. On NVD, it still says awaiting analysis. This information would help us determine the SLA on when we can update tomcat builds. b) Regarding 1st CVE (#1305), we do not use annotation based security constraints. Instead we configure it in our web.xml. With this understanding, is it safe to consider we are not vulnerable? c) Regarding 2nd CVE (#1304), the url pattern in all our security constraints is of the format "/*". * i believe would include everything. To confirm with you, does this include the empty ("") string to make our usage vulnerable too? regards Harish Krishnan