CVE-2018-8014

State: PUBLISHED · Published: 2018-05-16 · Updated: 2024-08-05 · Assigner: apache

Description

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

CWE

(none)

Affected

Apache Software Foundation / Apache Tomcat — v=9.0.0.M1 to 9.0.8 [affected]; v=8.5.0 to 8.5.31 [affected]; v=8.0.0.RC1 to 8.0.52 [affected]; v=7.0.41 to 7.0.88 [affected]

CVSS

(none)

References

http://tomcat.apache.org/security-9.html x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2019:0451 vendor-advisory, x_refsource_REDHAT
http://tomcat.apache.org/security-7.html x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2018:2469 vendor-advisory, x_refsource_REDHAT
http://www.securitytracker.com/id/1041888 vdb-entry, x_refsource_SECTRACK
https://usn.ubuntu.com/3665-1/ vendor-advisory, x_refsource_UBUNTU
http://tomcat.apache.org/security-8.html x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2018:2470 vendor-advisory, x_refsource_REDHAT
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html x_refsource_CONFIRM
https://security.netapp.com/advisory/ntap-20181018-0002/ x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2019:0450 vendor-advisory, x_refsource_REDHAT
https://lists.apache.org/thread.html/fbfb713e4f8a4c0f81089b89450828011343593800cae3fb629192b1%40%3Cannounce.tomcat.apache.org%3E x_refsource_CONFIRM
https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html mailing-list, x_refsource_MLIST
http://www.securityfocus.com/bid/104203 vdb-entry, x_refsource_BID
http://www.securitytracker.com/id/1040998 vdb-entry, x_refsource_SECTRACK
https://access.redhat.com/errata/RHSA-2018:3768 vendor-advisory, x_refsource_REDHAT
https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://access.redhat.com/errata/RHSA-2019:1529 vendor-advisory, x_refsource_REDHAT
https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E mailing-list, x_refsource_MLIST
https://access.redhat.com/errata/RHSA-2019:2205 vendor-advisory, x_refsource_REDHAT
https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html mailing-list, x_refsource_MLIST
https://www.debian.org/security/2019/dsa-4596 vendor-advisory, x_refsource_DEBIAN
https://seclists.org/bugtraq/2019/Dec/43 mailing-list, x_refsource_BUGTRAQ
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://www.oracle.com/security-alerts/cpuapr2020.html x_refsource_MISC

Source

cvelistV5-main/cves/2018/8xxx/CVE-2018-8014.json