First published: Wed May 16 2018(Updated: )
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
Credit: security@apache.org security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/tomcat | <8.0.53 | 8.0.53 |
redhat/tomcat | <8.5.32 | 8.5.32 |
redhat/tomcat | <9.0.9 | 9.0.9 |
redhat/tomcat | <7.0.89 | 7.0.89 |
maven/org.apache.tomcat.embed:tomcat-embed-core | >=8.0.0RC1<8.0.53 | 8.0.53 |
maven/org.apache.tomcat.embed:tomcat-embed-core | >=9.0.0.M1<=9.0.8 | 9.0.9 |
maven/org.apache.tomcat.embed:tomcat-embed-core | >=7.0.41<7.0.88 | 7.0.88 |
maven/org.apache.tomcat.embed:tomcat-embed-core | >=8.5.0<8.5.32 | 8.5.32 |
ubuntu/tomcat7 | <7.0.52-1ubuntu0.14 | 7.0.52-1ubuntu0.14 |
ubuntu/tomcat7 | <7.0.72-3 | 7.0.72-3 |
ubuntu/tomcat8 | <8.5.21-1ubuntu1.1 | 8.5.21-1ubuntu1.1 |
ubuntu/tomcat8 | <8.5.30-1ubuntu1.2 | 8.5.30-1ubuntu1.2 |
ubuntu/tomcat8 | <8.5.30-1ubuntu3 | 8.5.30-1ubuntu3 |
ubuntu/tomcat8 | <8.0.53<8.5.32 | 8.0.53 8.5.32 |
ubuntu/tomcat8 | <8.0.32-1ubuntu1.6 | 8.0.32-1ubuntu1.6 |
ubuntu/tomcat8.0 | <8.0.53 | 8.0.53 |
debian/tomcat9 | 9.0.31-1~deb10u6 9.0.31-1~deb10u12 9.0.43-2~deb11u9 9.0.43-2~deb11u10 9.0.70-2 | |
Apache Tomcat | >=7.0.41<=7.0.88 | |
Apache Tomcat | >=8.0.0<=8.0.52 | |
Apache Tomcat | >=8.5.0<=8.5.31 | |
Apache Tomcat | >=9.0.0<=9.0.8 | |
Apache Tomcat | =8.0.0-rc1 | |
Apache Tomcat | =9.0.0-milestone1 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =17.10 | |
Canonical Ubuntu Linux | =18.04 | |
Debian Debian Linux | =8.0 | |
NetApp OnCommand Insight | ||
Netapp Oncommand Unified Manager Vmware Vsphere | >=9.4 | |
NetApp OnCommand Workflow Automation | ||
NetApp SnapCenter Server | ||
Netapp Storage Automation Store | ||
All of | ||
Netapp Oncommand Unified Manager | >=7.3 | |
Microsoft Windows | ||
Apache Tomcat | =9.0.0-m1 | |
Netapp Oncommand Unified Manager | >=7.3 | |
Microsoft Windows |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-8014 is a vulnerability that affects the default settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.41 to 7.0.88.
CVE-2018-8014 has a severity rating of 9.8 out of 10.
CVE-2018-8014 affects the CORS filter in Apache Tomcat and allows the 'supportsCredentials' option to be enabled for all origins, which can lead to insecure configurations.
To fix CVE-2018-8014, it is recommended to upgrade Apache Tomcat to version 9.0.9, 8.5.32, or 8.0.53, depending on your installed version.
You can find more information about CVE-2018-8014 in the references provided: [link1], [link2], [link3].