CVE-2018-8014 – org.apache.tomcat.embed:tomcat-embed-core

Package

Manager: maven
Name: org.apache.tomcat.embed:tomcat-embed-core
Vulnerable Version: >=9.0.0.m1 <9.0.9 || >=8.5.0 <8.5.32 || >=8.0.0rc1 <8.0.53 || >=7.0.41 <7.0.88

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.5706 pctl0.9806

Details

The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Metadata

Created: 2018-10-17T16:32:32Z
Modified: 2024-02-23T18:01:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r4x2-3cq5-hqvp/GHSA-r4x2-3cq5-hqvp.json
CWE IDs: ["CWE-1188"]
Alternative ID: GHSA-r4x2-3cq5-hqvp
Finding: F164
Auto approve: 1