CVE-2018-8014

NameCVE-2018-8014
DescriptionThe defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1400-1
NVD severityhigh (attack range: remote)
Debian Bugs898935

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat7 (PTS)jessie7.0.56-3+deb8u11vulnerable
jessie (security)7.0.56-3+really7.0.91-1fixed
stretch7.0.75-1fixed
tomcat8 (PTS)jessie8.0.14-1+deb8u11vulnerable
jessie (security)8.0.14-1+deb8u14vulnerable
stretch (security), stretch8.5.14-1+deb9u3vulnerable
buster8.5.35-2fixed
sid8.5.35-3fixed
tomcat9 (PTS)buster9.0.13-2fixed
sid9.0.14-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat7source(unstable)7.0.72-3high
tomcat7sourcejessie7.0.56-3+really7.0.88-1highDLA-1400-1
tomcat7sourcewheezy(not affected)
tomcat8source(unstable)8.5.32-1high898935
tomcat8.0source(unstable)(unfixed)unimportant
tomcat9source(unstable)(not affected)

Notes

- tomcat9 <not-affected> (Fixed before initial upload to Debian)
[stretch] - tomcat8 <no-dsa> (Minor issue; user expected to configure filters appropriately)
[jessie] - tomcat8 <no-dsa> (Minor issue; user expected to configure filters appropriately)
tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java
[wheezy] - tomcat7 <not-affected> (vulnerable code not present)
Since 7.0.72-3, src:tomcat7 only builds the Servlet API
https://svn.apache.org/r1831728 (8.5.x)
https://svn.apache.org/r1831729 (8.0.x)
https://svn.apache.org/r1831730 (7.0.x)
https://bz.apache.org/bugzilla/show_bug.cgi?id=62343
It is expected that users of the CORS filter will have configured it appropriately
for their einvironment rather than using it in the default configuration

Search for package or bug name: Reporting problems