CVE-2018-8014 — Initialization of a Resource with an Insecure Default in Apache Tomcat
Severity
9.8CRITICALNVD
EPSS
48.8%
top 2.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMay 16
Latest updateOct 17
Description
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages3 packages
Also affects: Debian Linux 8.0, Ubuntu Linux 14.04, 16.04, 17.10, 18.04
Patches
🔴Vulnerability Details
4📋Vendor Advisories
4Red Hat
▶
Debian▶
CVE-2018-8014: tomcat9 - The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to ...↗2018
💬Community
3Bugzilla▶
CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins [epel-all]↗2018-05-18
Bugzilla▶
CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins↗2018-05-18
Bugzilla▶
CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins [fedora-all]↗2018-05-18