CVE-2018-8014

NameCVE-2018-8014
DescriptionThe defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1400-1, DLA-1883-1, DSA-4596-1
Debian Bugs898935

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat9 (PTS)bullseye (security), bullseye9.0.43-2~deb11u10fixed
bookworm9.0.70-2fixed
sid, trixie9.0.95-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat7sourcewheezy(not affected)
tomcat7sourcejessie7.0.56-3+really7.0.88-1DLA-1400-1
tomcat7source(unstable)7.0.72-3
tomcat8sourcejessie8.0.14-1+deb8u15DLA-1883-1
tomcat8sourcestretch8.5.50-0+deb9u1DSA-4596-1
tomcat8source(unstable)8.5.32-1898935
tomcat8.0source(unstable)(unfixed)unimportant
tomcat9source(unstable)(not affected)

Notes

- tomcat9 <not-affected> (Fixed before initial upload to Debian)
tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java
[wheezy] - tomcat7 <not-affected> (vulnerable code not present)
Since 7.0.72-3, src:tomcat7 only builds the Servlet API
https://svn.apache.org/r1831728 (8.5.x)
https://svn.apache.org/r1831729 (8.0.x)
https://svn.apache.org/r1831730 (7.0.x)
https://bz.apache.org/bugzilla/show_bug.cgi?id=62343
It is expected that users of the CORS filter will have configured it appropriately
for their einvironment rather than using it in the default configuration

Search for package or bug name: Reporting problems