Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2018-8014

Опубликовано: 16 мая 2018
Источник: nvd
CVSS3: 9.8
CVSS2: 7.5
EPSS Средний

Описание

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
Версия от 7.0.41 (включая) до 7.0.88 (включая)
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
Версия от 8.0.0 (включая) до 8.0.52 (включая)
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
Версия от 8.5.0 (включая) до 8.5.31 (включая)
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
Версия от 9.0.0 (включая) до 9.0.8 (включая)
cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*
Конфигурация 2

Одно из

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Конфигурация 3
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Конфигурация 4

Одно из

cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:vmware_vsphere:*:*
Версия от 9.4 (включая)
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snapcenter_server:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*
Конфигурация 5

Одновременно

cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:*:*:*
Версия от 7.3 (включая)
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

EPSS

Процентиль: 98%
0.63691
Средний

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-1188

Связанные уязвимости

ubuntu логотип

CVE-2018-8014

CVSS3: 9.8
ubuntu
около 7 лет назад

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

redhat логотип

CVE-2018-8014

CVSS3: 5.7
redhat
около 7 лет назад

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

debian логотип

CVE-2018-8014

CVSS3: 9.8
debian
около 7 лет назад

The defaults settings for the CORS filter provided in Apache Tomcat 9. ...

github логотип

GHSA-r4x2-3cq5-hqvp

CVSS3: 9.8
github
больше 6 лет назад

The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins

fstec логотип

BDU:2019-00094

CVSS3: 9.8
fstec
около 7 лет назад

Уязвимость компонента CORS контейнера сервлетов Apache Tomcat, позволяющая нарушителю получить доступ к защищаемой информации

EPSS

Процентиль: 98%
0.63691
Средний

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-1188