7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.017 Low
EPSS
Percentile
87.5%
Low: host name verification missing in WebSocket client CVE-2018-8034
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default.
This was fixed in revision 1833757.
This issue was reported publicly on 11 June 2018 and formally announced as a vulnerability on 22 July 2018.
Affects: 9.0.0.M1 to 9.0.9
Important: Information Disclosure CVE-2018-8037
If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user.
This was fixed in revisions 1833825, 1833831, 1837530 and 1833906.
This issue was reported to the Apache Tomcat Security Team by Dmitry Treskunov on 16 June 2018 and made public on 22 July 2018.
Affects: 9.0.0.M9 to 9.0.9
CPE | Name | Operator | Version |
---|---|---|---|
apache tomcat | ge | 9.0.0.M1 | |
apache tomcat | ge | 9.0.0.M9 | |
apache tomcat | le | 9.0.9 |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.017 Low
EPSS
Percentile
87.5%