CVE-2018-8014

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Published : 2018-05-16 16:29 Updated : 2019-04-15 16:31

7.5
CVSS Score More info
Score 7.5 / 10
7.5
Vendor Product Version URI
Apache Tomcat 7.0.41 cpe:/a:apache:tomcat:7.0.41
Apache Tomcat 7.0.42 cpe:/a:apache:tomcat:7.0.42
Apache Tomcat 7.0.43 cpe:/a:apache:tomcat:7.0.43
Apache Tomcat 7.0.44 cpe:/a:apache:tomcat:7.0.44
Apache Tomcat 7.0.45 cpe:/a:apache:tomcat:7.0.45
Apache Tomcat 7.0.46 cpe:/a:apache:tomcat:7.0.46
Apache Tomcat 7.0.47 cpe:/a:apache:tomcat:7.0.47
Apache Tomcat 7.0.48 cpe:/a:apache:tomcat:7.0.48
Apache Tomcat 7.0.49 cpe:/a:apache:tomcat:7.0.49
Apache Tomcat 7.0.50 cpe:/a:apache:tomcat:7.0.50
Apache Tomcat 7.0.51 cpe:/a:apache:tomcat:7.0.51
Apache Tomcat 7.0.54 cpe:/a:apache:tomcat:7.0.54
Apache Tomcat 7.0.55 cpe:/a:apache:tomcat:7.0.55
Apache Tomcat 7.0.56 cpe:/a:apache:tomcat:7.0.56
Apache Tomcat 7.0.57 cpe:/a:apache:tomcat:7.0.57
Apache Tomcat 7.0.58 cpe:/a:apache:tomcat:7.0.58
Apache Tomcat 7.0.59 cpe:/a:apache:tomcat:7.0.59
Apache Tomcat 7.0.60 cpe:/a:apache:tomcat:7.0.60
Apache Tomcat 7.0.61 cpe:/a:apache:tomcat:7.0.61
Apache Tomcat 7.0.62 cpe:/a:apache:tomcat:7.0.62
Apache Tomcat 7.0.63 cpe:/a:apache:tomcat:7.0.63
Apache Tomcat 7.0.64 cpe:/a:apache:tomcat:7.0.64
Apache Tomcat 7.0.65 cpe:/a:apache:tomcat:7.0.65
Apache Tomcat 7.0.66 cpe:/a:apache:tomcat:7.0.66
Apache Tomcat 7.0.67 cpe:/a:apache:tomcat:7.0.67
Apache Tomcat 7.0.68 cpe:/a:apache:tomcat:7.0.68
Apache Tomcat 7.0.69 cpe:/a:apache:tomcat:7.0.69
Apache Tomcat 7.0.70 cpe:/a:apache:tomcat:7.0.70
Apache Tomcat 7.0.71 cpe:/a:apache:tomcat:7.0.71
Apache Tomcat 7.0.72 cpe:/a:apache:tomcat:7.0.72
Apache Tomcat 7.0.73 cpe:/a:apache:tomcat:7.0.73
Apache Tomcat 7.0.74 cpe:/a:apache:tomcat:7.0.74
Apache Tomcat 7.0.75 cpe:/a:apache:tomcat:7.0.75
Apache Tomcat 7.0.76 cpe:/a:apache:tomcat:7.0.76
Apache Tomcat 7.0.77 cpe:/a:apache:tomcat:7.0.77
Apache Tomcat 7.0.78 cpe:/a:apache:tomcat:7.0.78
Apache Tomcat 7.0.79 cpe:/a:apache:tomcat:7.0.79
Apache Tomcat 7.0.80 cpe:/a:apache:tomcat:7.0.80
Apache Tomcat 7.0.81 cpe:/a:apache:tomcat:7.0.81
Apache Tomcat 7.0.82 cpe:/a:apache:tomcat:7.0.82
Apache Tomcat 7.0.83 cpe:/a:apache:tomcat:7.0.83
Apache Tomcat 7.0.84 cpe:/a:apache:tomcat:7.0.84
Apache Tomcat 7.0.85 cpe:/a:apache:tomcat:7.0.85
Apache Tomcat 8.0.0 cpe:/a:apache:tomcat:8.0.0:rc1
Apache Tomcat 8.0.0 cpe:/a:apache:tomcat:8.0.0:rc10
Apache Tomcat 8.0.0 cpe:/a:apache:tomcat:8.0.0:rc2
Apache Tomcat 8.0.0 cpe:/a:apache:tomcat:8.0.0:rc5
Apache Tomcat 8.0.1 cpe:/a:apache:tomcat:8.0.1
Apache Tomcat 8.0.2 cpe:/a:apache:tomcat:8.0.2
Apache Tomcat 8.0.4 cpe:/a:apache:tomcat:8.0.4
Apache Tomcat 8.0.6 cpe:/a:apache:tomcat:8.0.6
Apache Tomcat 8.0.7 cpe:/a:apache:tomcat:8.0.7
Apache Tomcat 8.0.9 cpe:/a:apache:tomcat:8.0.9
Apache Tomcat 8.0.10 cpe:/a:apache:tomcat:8.0.10
Apache Tomcat 8.0.11 cpe:/a:apache:tomcat:8.0.11
Apache Tomcat 8.0.12 cpe:/a:apache:tomcat:8.0.12
Apache Tomcat 8.0.13 cpe:/a:apache:tomcat:8.0.13
Apache Tomcat 8.0.14 cpe:/a:apache:tomcat:8.0.14
Apache Tomcat 8.0.15 cpe:/a:apache:tomcat:8.0.15
Apache Tomcat 8.0.16 cpe:/a:apache:tomcat:8.0.16
Apache Tomcat 8.0.17 cpe:/a:apache:tomcat:8.0.17
Apache Tomcat 8.0.18 cpe:/a:apache:tomcat:8.0.18
Apache Tomcat 8.0.19 cpe:/a:apache:tomcat:8.0.19
Apache Tomcat 8.0.20 cpe:/a:apache:tomcat:8.0.20
Apache Tomcat 8.0.21 cpe:/a:apache:tomcat:8.0.21
Apache Tomcat 8.0.22 cpe:/a:apache:tomcat:8.0.22
Apache Tomcat 8.0.23 cpe:/a:apache:tomcat:8.0.23
Apache Tomcat 8.0.24 cpe:/a:apache:tomcat:8.0.24
Apache Tomcat 8.0.25 cpe:/a:apache:tomcat:8.0.25
Apache Tomcat 8.0.26 cpe:/a:apache:tomcat:8.0.26
Apache Tomcat 8.0.27 cpe:/a:apache:tomcat:8.0.27
Apache Tomcat 8.0.28 cpe:/a:apache:tomcat:8.0.28
Apache Tomcat 8.0.29 cpe:/a:apache:tomcat:8.0.29
Apache Tomcat 8.0.30 cpe:/a:apache:tomcat:8.0.30
Apache Tomcat 8.0.31 cpe:/a:apache:tomcat:8.0.31
Apache Tomcat 8.0.32 cpe:/a:apache:tomcat:8.0.32
Apache Tomcat 8.0.33 cpe:/a:apache:tomcat:8.0.33
Apache Tomcat 8.0.34 cpe:/a:apache:tomcat:8.0.34
Apache Tomcat 8.0.35 cpe:/a:apache:tomcat:8.0.35
Apache Tomcat 8.0.36 cpe:/a:apache:tomcat:8.0.36
Apache Tomcat 8.0.37 cpe:/a:apache:tomcat:8.0.37
Apache Tomcat 8.0.38 cpe:/a:apache:tomcat:8.0.38
Apache Tomcat 8.0.39 cpe:/a:apache:tomcat:8.0.39
Apache Tomcat 8.0.40 cpe:/a:apache:tomcat:8.0.40
Apache Tomcat 8.0.41 cpe:/a:apache:tomcat:8.0.41
Apache Tomcat 8.0.42 cpe:/a:apache:tomcat:8.0.42
Apache Tomcat 8.0.43 cpe:/a:apache:tomcat:8.0.43
Apache Tomcat 8.0.44 cpe:/a:apache:tomcat:8.0.44
Apache Tomcat 8.0.47 cpe:/a:apache:tomcat:8.0.47
Apache Tomcat 8.0.48 cpe:/a:apache:tomcat:8.0.48
Apache Tomcat 8.0.49 cpe:/a:apache:tomcat:8.0.49
Apache Tomcat 8.5.0 cpe:/a:apache:tomcat:8.5.0
Apache Tomcat 8.5.1 cpe:/a:apache:tomcat:8.5.1
Apache Tomcat 8.5.2 cpe:/a:apache:tomcat:8.5.2
Apache Tomcat 8.5.3 cpe:/a:apache:tomcat:8.5.3
Apache Tomcat 8.5.4 cpe:/a:apache:tomcat:8.5.4
Apache Tomcat 8.5.5 cpe:/a:apache:tomcat:8.5.5
Apache Tomcat 8.5.6 cpe:/a:apache:tomcat:8.5.6
Apache Tomcat 8.5.7 cpe:/a:apache:tomcat:8.5.7
Apache Tomcat 8.5.8 cpe:/a:apache:tomcat:8.5.8
Apache Tomcat 8.5.9 cpe:/a:apache:tomcat:8.5.9
Apache Tomcat 8.5.10 cpe:/a:apache:tomcat:8.5.10
Apache Tomcat 8.5.11 cpe:/a:apache:tomcat:8.5.11
Apache Tomcat 8.5.12 cpe:/a:apache:tomcat:8.5.12
Apache Tomcat 8.5.13 cpe:/a:apache:tomcat:8.5.13
Apache Tomcat 8.5.14 cpe:/a:apache:tomcat:8.5.14
Apache Tomcat 8.5.15 cpe:/a:apache:tomcat:8.5.15
Apache Tomcat 8.5.23 cpe:/a:apache:tomcat:8.5.23
Apache Tomcat 8.5.24 cpe:/a:apache:tomcat:8.5.24
Apache Tomcat 8.5.27 cpe:/a:apache:tomcat:8.5.27
Apache Tomcat 8.5.28 cpe:/a:apache:tomcat:8.5.28
Apache Tomcat 8.5.29 cpe:/a:apache:tomcat:8.5.29
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m1
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m10
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m11
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m12
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m13
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m14
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m15
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m16
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m17
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m18
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m19
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m2
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m20
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m21
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m3
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m4
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m5
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m6
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m7
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m8
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m9
Apache Tomcat 9.0.1 cpe:/a:apache:tomcat:9.0.1
Apache Tomcat 9.0.2 cpe:/a:apache:tomcat:9.0.2
Apache Tomcat 9.0.3 cpe:/a:apache:tomcat:9.0.3
Apache Tomcat 9.0.4 cpe:/a:apache:tomcat:9.0.4
Apache Tomcat 9.0.5 cpe:/a:apache:tomcat:9.0.5
Apache Tomcat 9.0.6 cpe:/a:apache:tomcat:9.0.6
Apache Tomcat 9.0.7 cpe:/a:apache:tomcat:9.0.7
Canonical Ubuntu Linux 14.04 cpe:/o:canonical:ubuntu_linux:14.04::~~lts~~~
Canonical Ubuntu Linux 16.04 cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Canonical Ubuntu Linux 17.10 cpe:/o:canonical:ubuntu_linux:17.10
Canonical Ubuntu Linux 18.04 cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Netapp Oncommand Insight - cpe:/a:netapp:oncommand_insight:-
Netapp Oncommand Workflow Automation - cpe:/a:netapp:oncommand_workflow_automation:-
Netapp Snapcenter Server - cpe:/a:netapp:snapcenter_server:-
Netapp Storage Automation Store - cpe:/a:netapp:storage_automation_store:-
Debian Debian Linux 8.0 cpe:/o:debian:debian_linux:8.0
  1. Canonical (1) Search CVE
    1. Ubuntu Linux (4) Search CVE
      1. 14.04
      2. 16.04
      3. 17.10
      4. 18.04
  2. Netapp (4) Search CVE
    1. Oncommand Insight (1) Search CVE
      1. -
    2. Storage Automation Store (1) Search CVE
      1. -
    3. Oncommand Workflow Automation (1) Search CVE
      1. -
    4. Snapcenter Server (1) Search CVE
      1. -
  3. Apache (1) Search CVE
    1. Tomcat (117) Search CVE
      1. 7.0.41
      2. 7.0.42
      3. 7.0.43
      4. 7.0.44
      5. 7.0.45
      6. 7.0.46
      7. 7.0.47
      8. 7.0.48
      9. 7.0.49
      10. 7.0.50
      11. 7.0.51
      12. 7.0.54
      13. 7.0.55
      14. 7.0.56
      15. 7.0.57
      16. 7.0.58
      17. 7.0.59
      18. 7.0.60
      19. 7.0.61
      20. 7.0.62
      21. 7.0.63
      22. 7.0.64
      23. 7.0.65
      24. 7.0.66
      25. 7.0.67
      26. 7.0.68
      27. 7.0.69
      28. 7.0.70
      29. 7.0.71
      30. 7.0.72
      31. 7.0.73
      32. 7.0.74
      33. 7.0.75
      34. 7.0.76
      35. 7.0.77
      36. 7.0.78
      37. 7.0.79
      38. 7.0.80
      39. 7.0.81
      40. 7.0.82
      41. 7.0.83
      42. 7.0.84
      43. 7.0.85
      44. 8.0.0
      45. 8.0.1
      46. 8.0.2
      47. 8.0.4
      48. 8.0.6
      49. 8.0.7
      50. 8.0.9
      51. 8.0.10
      52. 8.0.11
      53. 8.0.12
      54. 8.0.13
      55. 8.0.14
      56. 8.0.15
      57. 8.0.16
      58. 8.0.17
      59. 8.0.18
      60. 8.0.19
      61. 8.0.20
      62. 8.0.21
      63. 8.0.22
      64. 8.0.23
      65. 8.0.24
      66. 8.0.25
      67. 8.0.26
      68. 8.0.27
      69. 8.0.28
      70. 8.0.29
      71. 8.0.30
      72. 8.0.31
      73. 8.0.32
      74. 8.0.33
      75. 8.0.34
      76. 8.0.35
      77. 8.0.36
      78. 8.0.37
      79. 8.0.38
      80. 8.0.39
      81. 8.0.40
      82. 8.0.41
      83. 8.0.42
      84. 8.0.43
      85. 8.0.44
      86. 8.0.47
      87. 8.0.48
      88. 8.0.49
      89. 8.5.0
      90. 8.5.1
      91. 8.5.2
      92. 8.5.3
      93. 8.5.4
      94. 8.5.5
      95. 8.5.6
      96. 8.5.7
      97. 8.5.8
      98. 8.5.9
      99. 8.5.10
      100. 8.5.11
      101. 8.5.12
      102. 8.5.13
      103. 8.5.14
      104. 8.5.15
      105. 8.5.23
      106. 8.5.24
      107. 8.5.27
      108. 8.5.28
      109. 8.5.29
      110. 9.0.0
      111. 9.0.1
      112. 9.0.2
      113. 9.0.3
      114. 9.0.4
      115. 9.0.5
      116. 9.0.6
      117. 9.0.7
  4. Debian (1) Search CVE
    1. Debian Linux (1) Search CVE
      1. 8.0

CWE

ID Name Description Links
CWE-254 Security Features Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management. CVE

References

Source Link
REDHAT https://access.redhat.com/errata/RHSA-2019:0451
REDHAT https://access.redhat.com/errata/RHSA-2019:0450
CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
MLIST https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E
MLIST https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E
MLIST https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E
MLIST https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E
MLIST https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E
MLIST https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E
MLIST https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E
MLIST https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E
MLIST https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
MLIST https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E
MLIST https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E
CONFIRM http://tomcat.apache.org/security-7.html
BID http://www.securityfocus.com/bid/104203
UBUNTU https://usn.ubuntu.com/3665-1/
SECTRACK http://www.securitytracker.com/id/1040998
CONFIRM https://lists.apache.org/thread.html/fbfb713e4f8a4c0f81089b89450828011343593800cae3fb629192b1@%3Cannounce.tomcat.apache.org%3E
CONFIRM http://tomcat.apache.org/security-8.html
CONFIRM http://tomcat.apache.org/security-9.html
MLIST https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html
REDHAT https://access.redhat.com/errata/RHSA-2018:2470
REDHAT https://access.redhat.com/errata/RHSA-2018:2469
SECTRACK http://www.securitytracker.com/id/1041888
CONFIRM https://security.netapp.com/advisory/ntap-20181018-0002/
REDHAT https://access.redhat.com/errata/RHSA-2018:3768

History of changes

Date Event
2019-04-15 16:31
2019-03-25 11:35
2019-03-21 16:00
2019-03-08 16:58
2019-03-05 11:29
2018-12-05 11:29
2018-10-19 10:29
2018-10-17 10:30
2018-10-17 01:31
2018-08-17 10:29
2018-06-29 01:29
2018-06-20 17:44
2018-06-03 01:29
2018-06-01 01:29
2018-05-20 01:29
2018-05-16 16:29

New CVE