|Description||The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
|NVD severity||high (attack range: remote)|
Vulnerable and fixed packages
The table below lists information on source packages.
|stretch (security), stretch||8.5.14-1+deb9u3||vulnerable|
The information below is based on the following data on fixed versions.
- tomcat9 <not-affected> (Fixed before initial upload to Debian)
[stretch] - tomcat8 <no-dsa> (Minor issue; user expected to configure filters appropriately)
tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java
[wheezy] - tomcat7 <not-affected> (vulnerable code not present)
Since 7.0.72-3, src:tomcat7 only builds the Servlet API
It is expected that users of the CORS filter will have configured it appropriately
for their einvironment rather than using it in the default configuration