CVE-2018-8014

tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins

Severity Score

9.8

*CVSS v3

Exploit Likelihood

53.9%

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Las opciones por defecto para el filtro CORS proporcionado en Apache Tomcat 9.0.0.M1 a 9.0.8, 8.5.0 a 8.5.31, 8.0.0.RC1 a 8.0.52 y 7.0.41 a 7.0.88 son inseguras y permiten "supportsCredentials" para todos los orígenes. Se espera que los usuarios del filtro CORS lo tengan configurado de forma adecuada para su entorno, en lugar de emplearlo con su configuración por defecto. Por lo tanto, se espera que la mayoría de usuarios no se vean afectados por este problema.

Red Hat Fuse enables integration experts, application developers, and business users to collaborate and independently develop connected solutions. Fuse is part of an agile integration solution. Its distributed approach allows teams to deploy integrated services where required. The API-centric, container-based architecture decouples services so they can be created, extended, and deployed independently. This release of Red Hat Fuse 7.2 serves as a replacement for Red Hat Fuse 7.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, denial of service, deserialization, and traversal vulnerabilities.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-03-09 CVE Reserved
2018-05-16 CVE Published
2024-08-05 CVE Updated
2025-04-03 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-284: Improper Access Control
CWE-1188: Initialization of a Resource with an Insecure Default

CAPEC

References (41)

URL	Tag	Source
http://www.securityfocus.com/bid/104203	Third Party Advisory
http://www.securitytracker.com/id/1040998	Third Party Advisory
http://www.securitytracker.com/id/1041888	Third Party Advisory
https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat...	Mailing List
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat...	Mailing List
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat...	Mailing List
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat...	Mailing List
https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat...	Mailing List
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat...	Mailing List
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat...	Mailing List

1 - 10 of 25

URL	Date	SRC

URL	Date	SRC
http://www.oracle.com/technetwork/security-advisory/cpuoct20...	2023-12-08
https://security.netapp.com/advisory/ntap-20181018-0002	2023-12-08

1 - 2 of 2

URL	Date	SRC
http://tomcat.apache.org/security-7.html	2023-12-08
http://tomcat.apache.org/security-8.html	2023-12-08
http://tomcat.apache.org/security-9.html	2023-12-08
https://access.redhat.com/errata/RHSA-2018:2469	2023-12-08
https://access.redhat.com/errata/RHSA-2018:2470	2023-12-08
https://access.redhat.com/errata/RHSA-2018:3768	2023-12-08
https://access.redhat.com/errata/RHSA-2019:0450	2023-12-08
https://access.redhat.com/errata/RHSA-2019:0451	2023-12-08
https://access.redhat.com/errata/RHSA-2019:1529	2023-12-08
https://access.redhat.com/errata/RHSA-2019:2205	2023-12-08

1 - 10 of 14

Affected Vendors, Products, and Versions (17)

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Netapp Search vendor "Netapp"	Oncommand Unified Manager Search vendor "Netapp" for product "Oncommand Unified Manager"	>= 7.3 Search vendor "Netapp" for product "Oncommand Unified Manager" and version " >= 7.3"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Vendor		Product				Version		Other		Status
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				>= 7.0.41 <= 7.0.88 Search vendor "Apache" for product "Tomcat" and version " >= 7.0.41 <= 7.0.88"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				>= 8.0.0 <= 8.0.52 Search vendor "Apache" for product "Tomcat" and version " >= 8.0.0 <= 8.0.52"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				>= 8.5.0 <= 8.5.31 Search vendor "Apache" for product "Tomcat" and version " >= 8.5.0 <= 8.5.31"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				>= 9.0.0 <= 9.0.8 Search vendor "Apache" for product "Tomcat" and version " >= 9.0.0 <= 9.0.8"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				8.0.0 Search vendor "Apache" for product "Tomcat" and version "8.0.0"		rc1		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"		milestone1		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				17.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "17.10"		-		Affected

1 - 10 of 17