9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.078 Low
EPSS
Percentile
94.1%
Important: Information Disclosure CVE-2018-8037
If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user.
This was fixed in revisions 1833826, 1833832, 1837531 and 1833907.
This issue was reported to the Apache Tomcat Security Team by Dmitry Treskunov on 16 June 2018 and made public on 22 July 2018.
Affects: 8.5.5 to 8.5.31
Low: host name verification missing in WebSocket client CVE-2018-8034
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default.
This was fixed in revision 1833758.
This issue was reported publicly on 11 June 2018 and formally announced as a vulnerability on 22 July 2018.
Affects: 8.5.0 to 8.5.31
Low: CORS filter has insecure defaults CVE-2018-8014
The defaults settings for the CORS filter are insecure and enable supportsCredentials for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
This was fixed in revision 1831728.
This issue was reported publicly on 1 May 2018 and formally announced as a vulnerability on 16 May 2018.
CPE | Name | Operator | Version |
---|---|---|---|
apache tomcat | ge | 8.5.0 | |
apache tomcat | le | 8.5.31 | |
apache tomcat | ge | 8.5.5 |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.078 Low
EPSS
Percentile
94.1%