Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2018-8014

Опубликовано: 16 мая 2018
Источник: debian

Описание

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
tomcat9not-affectedpackage
tomcat8fixed8.5.32-1package
tomcat8.0removedpackage
tomcat7fixed7.0.72-3package
tomcat7not-affectedwheezypackage

Примечания

  • tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java

  • Since 7.0.72-3, src:tomcat7 only builds the Servlet API

  • https://svn.apache.org/r1831728 (8.5.x)

  • https://svn.apache.org/r1831729 (8.0.x)

  • https://svn.apache.org/r1831730 (7.0.x)

  • https://bz.apache.org/bugzilla/show_bug.cgi?id=62343

  • It is expected that users of the CORS filter will have configured it appropriately

  • for their einvironment rather than using it in the default configuration

Связанные уязвимости

ubuntu логотип

CVE-2018-8014

CVSS3: 9.8
ubuntu
около 7 лет назад

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

redhat логотип

CVE-2018-8014

CVSS3: 5.7
redhat
около 7 лет назад

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

nvd логотип

CVE-2018-8014

CVSS3: 9.8
nvd
около 7 лет назад

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

github логотип

GHSA-r4x2-3cq5-hqvp

CVSS3: 9.8
github
больше 6 лет назад

The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins

fstec логотип

BDU:2019-00094

CVSS3: 9.8
fstec
около 7 лет назад

Уязвимость компонента CORS контейнера сервлетов Apache Tomcat, позволяющая нарушителю получить доступ к защищаемой информации