Lucene search

K
tomcatApache TomcatTOMCAT:E0D7CC4566625A34425D5CE3D847746F
HistoryJun 25, 2018 - 12:00 a.m.

Fixed in Apache Tomcat 9.0.10

2018-06-2500:00:00
Apache Tomcat
tomcat.apache.org
36

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.017 Low

EPSS

Percentile

87.5%

Low: host name verification missing in WebSocket client CVE-2018-8034

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default.

This was fixed in revision 1833757.

This issue was reported publicly on 11 June 2018 and formally announced as a vulnerability on 22 July 2018.

Affects: 9.0.0.M1 to 9.0.9

Important: Information Disclosure CVE-2018-8037

If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user.

This was fixed in revisions 1833825, 1833831, 1837530 and 1833906.

This issue was reported to the Apache Tomcat Security Team by Dmitry Treskunov on 16 June 2018 and made public on 22 July 2018.

Affects: 9.0.0.M9 to 9.0.9

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.017 Low

EPSS

Percentile

87.5%