Описание
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
Меры по смягчению последствий
When using the CORS filter, it is recommended to configure it explicitly for your environment. In particular, the combination of cors.allowed.origins = * and cors.support.credentials = True should be avoided as this can leave your application vulnerable to cross-site scripting (XSS). For details on configuring CORS filter, please refer to https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | tomcat | Not affected | ||
| Red Hat Enterprise Linux 6 | tomcat6 | Not affected | ||
| Red Hat JBoss BRMS 5 | jbossweb | Not affected | ||
| Red Hat JBoss BRMS 6 | tomcat | Not affected | ||
| Red Hat JBoss Data Grid 6 | jbossweb | Not affected | ||
| Red Hat JBoss Data Grid 7 | tomcat | Not affected | ||
| Red Hat JBoss Data Virtualization 6 | jbossweb | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 5 | jbossweb | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 6 | jbossweb | Not affected | ||
| Red Hat JBoss Enterprise Web Server 2 | tomcat6 | Not affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
5.7 Medium
CVSS3
Связанные уязвимости
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
The defaults settings for the CORS filter provided in Apache Tomcat 9. ...
The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins
Уязвимость компонента CORS контейнера сервлетов Apache Tomcat, позволяющая нарушителю получить доступ к защищаемой информации
EPSS
5.7 Medium
CVSS3