CVE-2018-11784 – Apache Tomcat 9.0.0.M1 - Open Redirect
https://notcve.org/view.php?id=CVE-2018-11784
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. Cuando el servlet por defecto en Apache Tomcat en versiones de la 9.0.0.M1 a la 9.0.11, de la 8.5.0 a la 8.5.33 y de la 7.0.23 a la 7.0.90 devolvía una redirección a un directorio (por ejemplo, redirigiendo a "/foo/'' cuando el usuario solicitó '"/foo") se pudo usar una URL especialmente manipulada para hacer que la redirección se generara a cualquier URI de la elección del atacante. These are details on an open redirection vulnerability in Apache Tomcat version 9.0.0M1 that was discovered in 2018. • https://www.exploit-db.com/exploits/50118 https://github.com/Cappricio-Securities/CVE-2018-11784 http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html http://packetstormsecurity.com/files/163456/Apache-Tomcat-9.0.0M1-Open-Redirect.html http://www.securityfocus.com/bid/105524 https://access.redhat.com/errata/RHSA-2019:0130 https://access.redhat.com/errata/RHSA-2019:0131 https://access.redhat.c • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2018-8037 – tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up
https://notcve.org/view.php?id=CVE-2018-8037
If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31. Si la aplicación completaba una petición async al mismo tiempo que el contenedor activaba el tiempo de espera de async, existía una condición de carrera que podía hacer que un usuario viera una respuesta destinada a otro usuario. • http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722090623.GA92700%40minotaur.apache.org%3E http://mail-archives.us.apache.org/mod_mbox/www-announce/201808.mbox/%3C0c616b4d-4e81-e7f8-b81d-1bb4c575aa33%40apache.org%3E http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/104894 http://www.securitytracker.com/id/1041376 https://access.redhat.com/errata/RHSA-2018:2867 https://access.redhat.com/errata/RHSA-2018:2868 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2018-8034 – tomcat: Host name verification missing in WebSocket client
https://notcve.org/view.php?id=CVE-2018-8034
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. No hay verificación del nombre del host al emplear TLS con el cliente WebSocket. Ahora está habilitado por defecto. • http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722091057.GA70283%40minotaur.apache.org%3E http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/104895 http://www.securitytracker.com/id/1041374 https://access.redhat.com/errata/RHSA-2019:0130 https://access.redhat.com/errata/RHSA-2019:0131 https://access.redhat.com/errata/RHSA-2019:0450 https://access.redhat.com/errata/RHSA-2019:0451 https://access.redhat • CWE-20: Improper Input Validation CWE-295: Improper Certificate Validation •
CVE-2018-1336 – tomcat: A bug in the UTF-8 decoder can lead to DoS
https://notcve.org/view.php?id=CVE-2018-1336
An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. Una gestión incorrecta del desbordamiento en el decodificador UTF-8 con caracteres suplementarios puede conducir a un bucle infinito en el decodificador, provocando una denegación de servicio (DoS). Versiones afectadas: Apache Tomcat de la versión 9.0.0.M9 a la 9.0.7, de la 8.5.0 a la 8.5.30, de la 8.0.0.RC1 a la 8.0.51 y de la versión 7.0.28 a la 7.0.86. • http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722090435.GA60759%40minotaur.apache.org%3E http://www.securityfocus.com/bid/104898 http://www.securitytracker.com/id/1041375 https://access.redhat.com/errata/RHEA-2018:2188 https://access.redhat.com/errata/RHEA-2018:2189 https://access.redhat.com/errata/RHSA-2018:2700 https://access.redhat.com/errata/RHSA-2018:2701 https://access.redhat.com/errata/RHSA-2018:2740 https://access.redhat.com/errata/RHSA-20 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2018-8014 – tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins
https://notcve.org/view.php?id=CVE-2018-8014
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. Las opciones por defecto para el filtro CORS proporcionado en Apache Tomcat 9.0.0.M1 a 9.0.8, 8.5.0 a 8.5.31, 8.0.0.RC1 a 8.0.52 y 7.0.41 a 7.0.88 son inseguras y permiten "supportsCredentials" para todos los orígenes. Se espera que los usuarios del filtro CORS lo tengan configurado de forma adecuada para su entorno, en lugar de emplearlo con su configuración por defecto. • http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-8.html http://tomcat.apache.org/security-9.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/104203 http://www.securitytracker.com/id/1040998 http://www.securitytracker.com/id/1041888 https://access.redhat.com/errata/RHSA-2018:2469 https://access.redhat.com/errata/RHSA-2018:2470 https://access.redhat.com/errata/RHSA-2018:3768 https://a • CWE-284: Improper Access Control CWE-1188: Initialization of a Resource with an Insecure Default •