9.8

CVE-2018-8014

EPSS 53.05%
Published 16.05.2018 16:29:00
Last modified 21.11.2024 04:13:05
Source security@apache.org
Teams watchlist Login
Open Login

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Affected products Warnungen 0 Metrics 3 CWE 1 References 42

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Tomcat Version >= 7.0.41 <= 7.0.88

Apache ≫ Tomcat Version >= 8.0.0 <= 8.0.52

Apache ≫ Tomcat Version >= 8.5.0 <= 8.5.31

Apache ≫ Tomcat Version >= 9.0.0 <= 9.0.8

Apache ≫ Tomcat Version8.0.0 Updaterc1

Apache ≫ Tomcat Version9.0.0 Updatemilestone1

Canonical ≫ Ubuntu Linux Version14.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version16.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version17.10

Canonical ≫ Ubuntu Linux Version18.04 SwEditionlts

Debian ≫ Debian Linux Version8.0

Netapp ≫ Oncommand Insight Version-

Netapp ≫ Oncommand Unified Manager SwPlatformvmware_vsphere Version >= 9.4

Netapp ≫ Oncommand Workflow Automation Version-

Netapp ≫ Snapcenter Server Version-

Netapp ≫ Storage Automation Store Version-

Netapp ≫ Oncommand Unified Manager Version >= 7.3

Microsoft ≫ Windows Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	53.05%	0.979

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-1188 Initialization of a Resource with an Insecure Default

The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

http://tomcat.apache.org/security-7.html

Vendor Advisory

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Patch

Third Party Advisory

http://tomcat.apache.org/security-8.html

Vendor Advisory

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

https://www.oracle.com/security-alerts/cpuapr2020.html

http://tomcat.apache.org/security-9.html

Vendor Advisory

https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E

https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html

https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E

http://www.securitytracker.com/id/1041888

Third Party Advisory

VDB Entry

https://security.netapp.com/advisory/ntap-20181018-0002/

Patch

Third Party Advisory

https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E

https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html

Third Party Advisory

https://usn.ubuntu.com/3665-1/

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:3768

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2205

http://www.securityfocus.com/bid/104203

Third Party Advisory

VDB Entry

http://www.securitytracker.com/id/1040998

Third Party Advisory

VDB Entry

https://access.redhat.com/errata/RHSA-2018:2469

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:2470

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:0450

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:0451

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1529

https://lists.apache.org/thread.html/fbfb713e4f8a4c0f81089b89450828011343593800cae3fb629192b1%40%3Cannounce.tomcat.apache.org%3E

https://seclists.org/bugtraq/2019/Dec/43

https://www.debian.org/security/2019/dsa-4596

https://nvd.nist.gov/vuln/detail/CVE-2018-8014

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-8014

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-8014

EUVD