Lucene search

K
cve[email protected]CVE-2018-8014
HistoryMay 16, 2018 - 4:29 p.m.

CVE-2018-8014

2018-05-1616:29:00
CWE-1188
web.nvd.nist.gov
557
cve
2018
8014
apache tomcat
cors filter
security
nvd

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

0.052 Low

EPSS

Percentile

93.1%

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable ‘supportsCredentials’ for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Affected configurations

Vulners
NVD
Node
apachetomcatRange9.0.0.M19.0.8
OR
apachetomcatRange8.5.08.5.31
OR
apachetomcatRange8.0.0.RC18.0.52
OR
apachetomcatRange7.0.417.0.88

CNA Affected

[
  {
    "product": "Apache Tomcat",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "9.0.0.M1 to 9.0.8"
      },
      {
        "status": "affected",
        "version": "8.5.0 to 8.5.31"
      },
      {
        "status": "affected",
        "version": "8.0.0.RC1 to 8.0.52"
      },
      {
        "status": "affected",
        "version": "7.0.41 to 7.0.88"
      }
    ]
  }
]

References

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

0.052 Low

EPSS

Percentile

93.1%