CVE-2018-8034 – org.apache.tomcat.embed:tomcat-embed-core

Package

Manager: maven
Name: org.apache.tomcat.embed:tomcat-embed-core
Vulnerable Version: >=9.0.0 <9.0.10 || >=8.5.0 <8.5.32 || >=8.0.0 <8.0.53 || >=7.0.35 <7.0.90

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.13373 pctl0.93932

Details

The host name verification missing in Apache Tomcat The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Metadata

Created: 2018-10-17T16:32:43Z
Modified: 2024-10-21T19:06:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-46j3-r4pj-4835/GHSA-46j3-r4pj-4835.json
CWE IDs: ["CWE-295"]
Alternative ID: GHSA-46j3-r4pj-4835
Finding: F163
Auto approve: 1