Insecure Defaults

2018-07-2305:27:23

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

JSON

tomcat-websocket is vulnerable to missing hostname verification. The application does not verify the hostname with a client when establishing a TLS connection through the websocket, allowing a malicious user to impersonate a different host machine.

CPENameOperatorVersion
tomcat-websocketle9.0.8
tomcat-websocketle8.5.31
tomcat-websocketle8.0.52
tomcat7-websocketle7.0.88
tomcat8eq8.0.18__25_patch_00.ep7.el6
tomcat8eq8.0.36__17.ep7.el6
tomcat8eq8.0.18__52_patch_01.ep7.el6
tomcat8eq8.0.18__62_patch_01.ep7.el6
tomcat8eq8.0.18__15_patch_00.ep7.el7
tomcat8eq8.0.36__29.ep7.el7

Name	Operator	Version
tomcat-websocket	le	9.0.8
tomcat-websocket	le	8.5.31
tomcat-websocket	le	8.0.52
tomcat7-websocket	le	7.0.88
tomcat8	eq	8.0.18__25_patch_00.ep7.el6
tomcat8	eq	8.0.36__17.ep7.el6
tomcat8	eq	8.0.18__52_patch_01.ep7.el6
tomcat8	eq	8.0.18__62_patch_01.ep7.el6
tomcat8	eq	8.0.18__15_patch_00.ep7.el7
tomcat8	eq	8.0.36__29.ep7.el7