Skip to main content

CVE-2018-8034

Severity

6.8

Description

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Mitigation

If SSL is necessary, we recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Project

Apache Tomcat

Apache TomEE

Category
Security Constraint Bypass
Tags
data
functional
Date Disclosed

2018-07-22

Date Discovered

2018-03-09

Apache Tomcat 9.0.x

First release:
2018-01-18
CVEs:
41
Support Lifecycle:
Namespace:
javax

Apache TomEE 7.0.x

First release:
2016-05-17
CVEs:
100
Support Lifecycle:
Namespace:
javax

Apache TomEE 1.7.x

First release:
2014-08-09
CVEs:
87
Support Lifecycle:
Namespace:
javax

Apache TomEE 1.6.x

First release:
2013-11-17
CVEs:
101
Support Lifecycle:
Namespace:
javax
Feel Vulnerable? 

Contact us so we can help you.

* These fields are required.