CVE-2018-8014

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 97%
Affected Products (NVD)
VendorProductVersion
apachetomcat
7.0.41 ≤
𝑥
≤ 7.0.88
apachetomcat
8.0.0 ≤
𝑥
≤ 8.0.52
apachetomcat
8.5.0 ≤
𝑥
≤ 8.5.31
apachetomcat
9.0.0 ≤
𝑥
≤ 9.0.8
apachetomcat
8.0.0:rc1
apachetomcat
9.0.0:milestone1
canonicalubuntu_linux
14.04
canonicalubuntu_linux
16.04
canonicalubuntu_linux
17.10
canonicalubuntu_linux
18.04
debiandebian_linux
8.0
netapponcommand_insight
-
netapponcommand_unified_manager
9.4 ≤
netapponcommand_workflow_automation
-
netappsnapcenter_server
-
netappstorage_automation_store
-
netapponcommand_unified_manager
7.3 ≤
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tomcat9
bookworm
9.0.70-2
fixed
bullseye
9.0.43-2~deb11u10
fixed
bullseye (security)
9.0.43-2~deb11u10
fixed
sid
9.0.95-1
fixed
trixie
9.0.95-1
fixed
wheezy
not-affected
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tomcat7
artful
not-affected
bionic
not-affected
cosmic
not-affected
disco
dne
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
mantic
dne
noble
dne
trusty
Fixed 7.0.52-1ubuntu0.14
released
xenial
needed
tomcat8
artful
Fixed 8.5.21-1ubuntu1.1
released
bionic
Fixed 8.5.30-1ubuntu1.2
released
cosmic
Fixed 8.5.30-1ubuntu3
released
disco
dne
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
mantic
dne
noble
dne
trusty
dne
xenial
Fixed 8.0.32-1ubuntu1.6
released
tomcat8.0
artful
ignored
bionic
dne
cosmic
dne
disco
dne
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
tomcat
suse enterprise sap 12 SP1
8.0.53-10.35.1
fixed
suse enterprise sap 12 SP3
8.0.53-29.13.1
fixed
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12
7.0.90-7.23.1
fixed
suse enterprise server 12 SP1
8.0.53-10.35.1
fixed
suse enterprise server 12 SP3
8.0.53-29.13.1
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
tomcat-admin-webapps
suse enterprise sap 12 SP1
8.0.53-10.35.1
fixed
suse enterprise sap 12 SP3
8.0.53-29.13.1
fixed
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12
7.0.90-7.23.1
fixed
suse enterprise server 12 SP1
8.0.53-10.35.1
fixed
suse enterprise server 12 SP3
8.0.53-29.13.1
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
tomcat-docs-webapp
suse enterprise sap 12 SP1
8.0.53-10.35.1
fixed
suse enterprise sap 12 SP3
8.0.53-29.13.1
fixed
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12
7.0.90-7.23.1
fixed
suse enterprise server 12 SP1
8.0.53-10.35.1
fixed
suse enterprise server 12 SP3
8.0.53-29.13.1
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
tomcat-el-2_2-api
suse enterprise server 12
7.0.90-7.23.1
fixed
tomcat-el-3_0-api
suse enterprise sap 12 SP1
8.0.53-10.35.1
fixed
suse enterprise sap 12 SP3
8.0.53-29.13.1
fixed
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12 SP1
8.0.53-10.35.1
fixed
suse enterprise server 12 SP3
8.0.53-29.13.1
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
tomcat-javadoc
suse enterprise sap 12 SP1
8.0.53-10.35.1
fixed
suse enterprise sap 12 SP3
8.0.53-29.13.1
fixed
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12
7.0.90-7.23.1
fixed
suse enterprise server 12 SP1
8.0.53-10.35.1
fixed
suse enterprise server 12 SP3
8.0.53-29.13.1
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
tomcat-jsp-2_2-api
suse enterprise server 12
7.0.90-7.23.1
fixed
tomcat-jsp-2_3-api
suse enterprise sap 12 SP1
8.0.53-10.35.1
fixed
suse enterprise sap 12 SP3
8.0.53-29.13.1
fixed
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12 SP1
8.0.53-10.35.1
fixed
suse enterprise server 12 SP3
8.0.53-29.13.1
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
tomcat-lib
suse enterprise sap 12 SP1
8.0.53-10.35.1
fixed
suse enterprise sap 12 SP3
8.0.53-29.13.1
fixed
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12
7.0.90-7.23.1
fixed
suse enterprise server 12 SP1
8.0.53-10.35.1
fixed
suse enterprise server 12 SP3
8.0.53-29.13.1
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
tomcat-servlet-3_0-api
suse enterprise server 12
7.0.90-7.23.1
fixed
tomcat-servlet-3_1-api
suse enterprise sap 12 SP1
8.0.53-10.35.1
fixed
suse enterprise sap 12 SP3
8.0.53-29.13.1
fixed
suse enterprise server 12 SP1
8.0.53-10.35.1
fixed
suse enterprise server 12 SP3
8.0.53-29.13.1
fixed
tomcat-servlet-4_0-api
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
tomcat-webapps
suse enterprise sap 12 SP1
8.0.53-10.35.1
fixed
suse enterprise sap 12 SP3
8.0.53-29.13.1
fixed
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12
7.0.90-7.23.1
fixed
suse enterprise server 12 SP1
8.0.53-10.35.1
fixed
suse enterprise server 12 SP3
8.0.53-29.13.1
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
tomcat
RHEL 7
0:7.0.76-9.el7
fixed
tomcat-admin-webapps
RHEL 7
0:7.0.76-9.el7
fixed
tomcat-docs-webapp
RHEL 7
0:7.0.76-9.el7
fixed
tomcat-el-2.2-api
RHEL 7
0:7.0.76-9.el7
fixed
tomcat-javadoc
RHEL 7
0:7.0.76-9.el7
fixed
tomcat-jsp-2.2-api
RHEL 7
0:7.0.76-9.el7
fixed
tomcat-jsvc
RHEL 7
0:7.0.76-9.el7
fixed
tomcat-lib
RHEL 7
0:7.0.76-9.el7
fixed
tomcat-servlet-3.0-api
RHEL 7
0:7.0.76-9.el7
fixed
tomcat-webapps
RHEL 7
0:7.0.76-9.el7
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
tomcat
Amazon Linux 2
0:7.0.76-10.amzn2.0.1
fixed
tomcat-admin-webapps
Amazon Linux 2
0:7.0.76-10.amzn2.0.1
fixed
tomcat-docs-webapp
Amazon Linux 2
0:7.0.76-10.amzn2.0.1
fixed
tomcat-el-2.2-api
Amazon Linux 2
0:7.0.76-10.amzn2.0.1
fixed
tomcat-javadoc
Amazon Linux 2
0:7.0.76-10.amzn2.0.1
fixed
tomcat-jsp-2.2-api
Amazon Linux 2
0:7.0.76-10.amzn2.0.1
fixed
tomcat-jsvc
Amazon Linux 2
0:7.0.76-10.amzn2.0.1
fixed
tomcat-lib
Amazon Linux 2
0:7.0.76-10.amzn2.0.1
fixed
tomcat-servlet-3.0-api
Amazon Linux 2
0:7.0.76-10.amzn2.0.1
fixed
tomcat-webapps
Amazon Linux 2
0:7.0.76-10.amzn2.0.1
fixed
tomcat7
Amazon Linux 1
0:7.0.90-1.33.amzn1
fixed
tomcat7-admin-webapps
Amazon Linux 1
0:7.0.90-1.33.amzn1
fixed
tomcat7-docs-webapp
Amazon Linux 1
0:7.0.90-1.33.amzn1
fixed
tomcat7-el-2.2-api
Amazon Linux 1
0:7.0.90-1.33.amzn1
fixed
tomcat7-javadoc
Amazon Linux 1
0:7.0.90-1.33.amzn1
fixed
tomcat7-jsp-2.2-api
Amazon Linux 1
0:7.0.90-1.33.amzn1
fixed
tomcat7-lib
Amazon Linux 1
0:7.0.90-1.33.amzn1
fixed
tomcat7-log4j
Amazon Linux 1
0:7.0.90-1.33.amzn1
fixed
tomcat7-servlet-3.0-api
Amazon Linux 1
0:7.0.90-1.33.amzn1
fixed
tomcat7-webapps
Amazon Linux 1
0:7.0.90-1.33.amzn1
fixed
tomcat8
Amazon Linux 1
0:8.5.32-1.78.amzn1
fixed
tomcat8-admin-webapps
Amazon Linux 1
0:8.5.32-1.78.amzn1
fixed
tomcat8-docs-webapp
Amazon Linux 1
0:8.5.32-1.78.amzn1
fixed
tomcat8-el-3.0-api
Amazon Linux 1
0:8.5.32-1.78.amzn1
fixed
tomcat8-javadoc
Amazon Linux 1
0:8.5.32-1.78.amzn1
fixed
tomcat8-jsp-2.3-api
Amazon Linux 1
0:8.5.32-1.78.amzn1
fixed
tomcat8-lib
Amazon Linux 1
0:8.5.32-1.78.amzn1
fixed
tomcat8-log4j
Amazon Linux 1
0:8.5.32-1.78.amzn1
fixed
tomcat8-servlet-3.1-api
Amazon Linux 1
0:8.5.32-1.78.amzn1
fixed
tomcat8-webapps
Amazon Linux 1
0:8.5.32-1.78.amzn1
fixed
tomcat80
Amazon Linux 1
0:8.0.53-1.80.amzn1
fixed
tomcat80-admin-webapps
Amazon Linux 1
0:8.0.53-1.80.amzn1
fixed
tomcat80-docs-webapp
Amazon Linux 1
0:8.0.53-1.80.amzn1
fixed
tomcat80-el-3.0-api
Amazon Linux 1
0:8.0.53-1.80.amzn1
fixed
tomcat80-javadoc
Amazon Linux 1
0:8.0.53-1.80.amzn1
fixed
tomcat80-jsp-2.3-api
Amazon Linux 1
0:8.0.53-1.80.amzn1
fixed
tomcat80-lib
Amazon Linux 1
0:8.0.53-1.80.amzn1
fixed
tomcat80-log4j
Amazon Linux 1
0:8.0.53-1.80.amzn1
fixed
tomcat80-servlet-3.1-api
Amazon Linux 1
0:8.0.53-1.80.amzn1
fixed
tomcat80-webapps
Amazon Linux 1
0:8.0.53-1.80.amzn1
fixed
References