Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2018-8014

Published: 16/05/2018 Updated: 08/12/2023
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Tomcat

Vulnerability Summary

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache tomcat 8.0.0

apache tomcat

apache tomcat 9.0.0

canonical ubuntu linux 16.04

canonical ubuntu linux 14.04

canonical ubuntu linux 17.10

canonical ubuntu linux 18.04

debian debian linux 8.0

netapp storage automation store -

netapp oncommand workflow automation -

netapp snapcenter server -

netapp oncommand unified manager

netapp oncommand insight -

netapp oncommand_unified_manager

Vendor Advisories

Debian CVElist Bug Report Logs: tomcat8: CVE-2018-8014: The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials'
Debian Bug report logs - #898935 tomcat8: CVE-2018-8014: The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' Package: src:tomcat8; Maintainer for src:tomcat8 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccors ...
Ubuntu Security Notice: tomcat7, tomcat8 vulnerabilities
Several security issues were fixed in Tomcat ...
Debian Security Advisories: DSA-4596-1 tomcat8 -- security update
Several issues were discovered in the Tomcat servlet and JSP engine, which could result in session fixation attacks, information disclosure, cross-site scripting, denial of service via resource exhaustion and insecure redirects For the oldstable distribution (stretch), these problems have been fixed in version 8550-0+deb9u1 This update also req ...
Red Hat: Important: Red Hat JBoss Web Server 3.1.0 Service Pack 4 security and bug fix update
Synopsis Important: Red Hat JBoss Web Server 310 Service Pack 4 security and bug fix update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Web Server 31 for RHEL 6 and Red Hat JBoss Web Server 31 for RHEL 7Red Hat Product Security has rated this release as ...
Red Hat: Important: Red Hat JBoss Web Server 3.1.0 Service Pack 4 security and bug fix update
Synopsis Important: Red Hat JBoss Web Server 310 Service Pack 4 security and bug fix update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Web Server 31Red Hat Product Security has rated this release as having a security impact of Important A Common Vulner ...
Red Hat: Important: Red Hat Fuse 7.2 security update
Synopsis Important: Red Hat Fuse 72 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat FuseRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which gives a de ...
Red Hat: Moderate: tomcat security, bug fix, and enhancement update
Synopsis Moderate: tomcat security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for tomcat is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring Syst ...
Red Hat: Moderate: Red Hat JBoss Web Server 5.0 Service Pack 2 security and bug fix update
Synopsis Moderate: Red Hat JBoss Web Server 50 Service Pack 2 security and bug fix update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat JBoss Web Server 50 for RHEL 6 and Red Hat JBoss Web Server 50 for RHEL 7Red Hat Product Security has rated this release as hav ...
Red Hat: Important: pki-deps:10.6 security update
Synopsis Important: pki-deps:106 security update Type/Severity Security Advisory: Important Topic An update for the pki-deps:106 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring Sy ...
Red Hat: Moderate: Red Hat JBoss Web Server 5.0 Service Pack 2 security and bug fix update
Synopsis Moderate: Red Hat JBoss Web Server 50 Service Pack 2 security and bug fix update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat JBoss Web Server 50 for RHEL 6 and Red Hat JBoss Web Server 50 for RHEL 7Red Hat Product Security has rated this release as hav ...
Amazon Linux 2: ALAS2-2020-1402
The host name verification when using TLS with the WebSocket client was missing It is now enabled by default Versions Affected: Apache Tomcat 900M1 to 909, 850 to 8531, 800RC1 to 8052, and 7035 to 7088 (CVE-2018-8034) The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Ap ...
Amazon Linux AMI: ALAS-2018-1056
The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration Therefore, it is expected that most users will not be impacted ...
Amazon Linux AMI: ALAS-2018-1055
The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration Therefore, it is expected that most users will not be impacted ...
Red Hat: CVE-2018-8014
The defaults settings for the CORS filter provided in Apache Tomcat 900M1 to 908, 850 to 8531, 800RC1 to 8052, 7041 to 7088 are insecure and enable 'supportsCredentials' for all origins It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default conf ...

ICS Advisories

Philips Vue PACS (Update A)
Critical Infrastructure Sectors: Healthcare and Public Health

Recent Articles

Thought Patch Tuesday was a load? You gotta check out this Oracle mega-advisory, then
The Register • Shaun Nichols in San Francisco • 16 Oct 2018

And you'll definitely want to check out the libssh flaw

Oracle has released a wide-ranging security update to address more than 300 CVE-listed vulnerabilities in its various enterprise products. The October release covers the gamut of Oracle's offerings, including its flagship Database, E-Business Suite, and Fusion Middleware packages. For Database, the update addresses a total of three flaws. Two of the vulnerabilities (CVE-2018-3259 and CVE-2018-3299) can be remotely exploited without authentication, while the third, CVE-2018-7489, would require th...

Read more...

References

CWE-1188http://tomcat.apache.org/security-9.htmlhttp://tomcat.apache.org/security-8.htmlhttp://tomcat.apache.org/security-7.htmlhttp://www.securityfocus.com/bid/104203https://usn.ubuntu.com/3665-1/http://www.securitytracker.com/id/1040998https://lists.debian.org/debian-lts-announce/2018/06/msg00008.htmlhttps://access.redhat.com/errata/RHSA-2018:2470https://access.redhat.com/errata/RHSA-2018:2469http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttp://www.securitytracker.com/id/1041888https://security.netapp.com/advisory/ntap-20181018-0002/https://access.redhat.com/errata/RHSA-2018:3768https://access.redhat.com/errata/RHSA-2019:0451https://access.redhat.com/errata/RHSA-2019:0450https://access.redhat.com/errata/RHSA-2019:1529https://access.redhat.com/errata/RHSA-2019:2205https://lists.debian.org/debian-lts-announce/2019/08/msg00015.htmlhttps://www.debian.org/security/2019/dsa-4596https://seclists.org/bugtraq/2019/Dec/43https://www.oracle.com/security-alerts/cpuapr2020.htmlhttps://lists.apache.org/thread.html/fbfb713e4f8a4c0f81089b89450828011343593800cae3fb629192b1%40%3Cannounce.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3Ehttps://nvd.nist.govhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898935https://usn.ubuntu.com/3665-1/https://www.cisa.gov/uscert/ics/advisories/icsma-21-187-01
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-3675CVE-2024-3400CVE-2024-23557mass assignmentCVE-2023-1389local file inclusionCVE-2024-32596file uploadCVE-2024-32593
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook