CVE-2018-8014

Severity

5.9

Description

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Mitigation

There is no non vulnerable version of this component/package. We recommend investigating alternative components or a potential mitigating control.

>Mitigation:
>Users of the affected versions should apply one of the following
>mitigations.
>- Configure the filter appropriately for your environment

Reference: [https://lists.apache.org/thread.html/fbfb713e4f8a4c0f81089b89450828011343593800cae3fb629192b1@%3Cannounce.tomcat.apache.org%3E](https://lists.apache.org/thread.html/fbfb713e4f8a4c0f81089b89450828011343593800cae3fb629192b1@%3Cannounce.tomcat.apache.org%3E)

Related links:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8014

http://tomcat.apache.org/security-7.html

http://tomcat.apache.org/security-8.html

http://tomcat.apache.org/security-9.html

https://bz.apache.org/bugzilla/show_bug.cgi?id=62343

https://lists.apache.org/thread.html/fbfb713e4f8a4c0f81089b89450828011343593800cae3fb629192b1@%3Cannounce.tomcat.apache.org%3E

Project

Apache Tomcat

Category

n/a

Tags

configuration

Date Disclosed

2018-05-16

Date Discovered

2018-03-09

Apache Tomcat 9.0.x

First release:

2018-01-18

CVEs:

49

Support Lifecycle:

Maintenance Support

Namespace:

javax

9.0.1 9.0.2 9.0.4 9.0.5 9.0.6 9.0.7 9.0.8

Apache Tomcat 8.5.x

First release:

2016-06-13

CVEs:

66

Support Lifecycle:

Maintenance Support

Namespace:

javax

8.5.0 8.5.2 8.5.3 8.5.4 8.5.5 8.5.6 8.5.8 8.5.9 8.5.11 8.5.12 8.5.13 8.5.14 8.5.15 8.5.16 8.5.19 8.5.20 8.5.21 8.5.23 8.5.24 8.5.27 8.5.28 8.5.29 8.5.30 8.5.31

Apache Tomcat 8.0.x

First release:

2014-06-25

First release:

2018-06-30

CVEs:

55

Support Lifecycle:

Namespace:

javax

Apache TomEE 7.0.x

First release:

2016-05-17

CVEs:

111

Support Lifecycle:

Maintenance Support

Namespace:

javax

7.0.0 7.0.1 7.0.2 7.0.3 7.0.4

Apache Tomcat 7.0.x

First release:

2011-01-14

First release:

2021-03-31

CVEs:

55

Support Lifecycle:

Maintenance Support

Namespace:

javax

7.0.41 7.0.42 7.0.47 7.0.50 7.0.52 7.0.53 7.0.54 7.0.55 7.0.56 7.0.57 7.0.59 7.0.61 7.0.62 7.0.63 7.0.64 7.0.65 7.0.67 7.0.68 7.0.69 7.0.70 7.0.72 7.0.73 7.0.75 7.0.76 7.0.77 7.0.78 7.0.79 7.0.81 7.0.82 7.0.84 7.0.85 7.0.86 7.0.88

Apache TomEE 1.7.x

First release:

2014-08-09

CVEs:

95

Support Lifecycle:

Namespace:

javax

1.7.0 1.7.1 1.7.2 1.7.3 1.7.4 1.7.5

Apache TomEE 1.6.x

First release:

2013-11-17

CVEs:

108

Support Lifecycle:

Namespace:

javax

1.6.0 1.6.0.1 1.6.0.2

Feel Vulnerable?

Contact us so we can help you.

First name ^*
Last name ^*
Email ^*
Company ^*
Product ^*
Heard about us from: ^*
Tell us more ^*

Send me a confirmation email

^* These fields are required.