CVE-2018-8014
tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
Las opciones por defecto para el filtro CORS proporcionado en Apache Tomcat 9.0.0.M1 a 9.0.8, 8.5.0 a 8.5.31, 8.0.0.RC1 a 8.0.52 y 7.0.41 a 7.0.88 son inseguras y permiten "supportsCredentials" para todos los orígenes. Se espera que los usuarios del filtro CORS lo tengan configurado de forma adecuada para su entorno, en lugar de emplearlo con su configuración por defecto. Por lo tanto, se espera que la mayoría de usuarios no se vean afectados por este problema.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-03-09 CVE Reserved
- 2018-05-16 CVE Published
- 2024-08-05 CVE Updated
- 2024-11-09 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-284: Improper Access Control
- CWE-1188: Initialization of a Resource with an Insecure Default
CAPEC
References (41)
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html | 2023-12-08 | |
https://security.netapp.com/advisory/ntap-20181018-0002 | 2023-12-08 |
URL | Date | SRC |
---|---|---|
http://tomcat.apache.org/security-7.html | 2023-12-08 | |
http://tomcat.apache.org/security-8.html | 2023-12-08 | |
http://tomcat.apache.org/security-9.html | 2023-12-08 | |
https://access.redhat.com/errata/RHSA-2018:2469 | 2023-12-08 | |
https://access.redhat.com/errata/RHSA-2018:2470 | 2023-12-08 | |
https://access.redhat.com/errata/RHSA-2018:3768 | 2023-12-08 | |
https://access.redhat.com/errata/RHSA-2019:0450 | 2023-12-08 | |
https://access.redhat.com/errata/RHSA-2019:0451 | 2023-12-08 | |
https://access.redhat.com/errata/RHSA-2019:1529 | 2023-12-08 | |
https://access.redhat.com/errata/RHSA-2019:2205 | 2023-12-08 | |
https://usn.ubuntu.com/3665-1 | 2023-12-08 | |
https://www.debian.org/security/2019/dsa-4596 | 2023-12-08 | |
https://access.redhat.com/security/cve/CVE-2018-8014 | 2019-08-06 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1579611 | 2019-08-06 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Netapp Search vendor "Netapp" | Oncommand Unified Manager Search vendor "Netapp" for product "Oncommand Unified Manager" | >= 7.3 Search vendor "Netapp" for product "Oncommand Unified Manager" and version " >= 7.3" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | - | - |
Safe
|
Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | >= 7.0.41 <= 7.0.88 Search vendor "Apache" for product "Tomcat" and version " >= 7.0.41 <= 7.0.88" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | >= 8.0.0 <= 8.0.52 Search vendor "Apache" for product "Tomcat" and version " >= 8.0.0 <= 8.0.52" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | >= 8.5.0 <= 8.5.31 Search vendor "Apache" for product "Tomcat" and version " >= 8.5.0 <= 8.5.31" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | >= 9.0.0 <= 9.0.8 Search vendor "Apache" for product "Tomcat" and version " >= 9.0.0 <= 9.0.8" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 8.0.0 Search vendor "Apache" for product "Tomcat" and version "8.0.0" | rc1 |
Affected
| ||||||
Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0" | milestone1 |
Affected
| ||||||
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | lts |
Affected
| ||||||
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | lts |
Affected
| ||||||
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 17.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "17.10" | - |
Affected
| ||||||
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04" | lts |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Oncommand Insight Search vendor "Netapp" for product "Oncommand Insight" | - | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Oncommand Unified Manager Search vendor "Netapp" for product "Oncommand Unified Manager" | >= 9.4 Search vendor "Netapp" for product "Oncommand Unified Manager" and version " >= 9.4" | vmware_vsphere |
Affected
| ||||||
Netapp Search vendor "Netapp" | Oncommand Workflow Automation Search vendor "Netapp" for product "Oncommand Workflow Automation" | - | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Snapcenter Server Search vendor "Netapp" for product "Snapcenter Server" | - | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Storage Automation Store Search vendor "Netapp" for product "Storage Automation Store" | - | - |
Affected
|