CVE-2018-8014
Description
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable supportsCredentials for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
Risk Information
Base Score
9.8
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
48.785
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Update Tomcat to 9.5.14 | Windows |
| Update Tomcat to 9.5.5 | Windows |
| Update Tomcat to 9.5.7 | Windows |
| Update Tomcat to 9.5.8 | Windows |
| Update Tomcat to 9.6.10 | Windows |
| Update Tomcat to 9.6.3 | Windows |
| Update Tomcat to 9.6.4 | Windows |
| Update Tomcat to 9.6.7 | Windows |
| Update Tomcat to 9.6.8 | Windows |
| Update Tomcat to 2.4.5 | Windows |
| Update Tomcat to 3.0.14 | Windows |
| Vulnerabilities CVE-2018-8037,CVE-2018-8034,CVE-2018-8014 are fixed in Apache - tomcat-embed-core 8.5.32 | Windows |
| Vulnerabilities CVE-2018-8034,CVE-2018-8014 are fixed in Apache - tomcat-embed-core 8.0.53 | Windows |
| Vulnerabilities CVE-2018-8014 are fixed in Apache - tomcat-embed-core 7.0.88 | Windows |
| Vulnerabilities CVE-2018-8014 are fixed in Apache - tomcat-embed-core 9.0.9 | Windows |
| SUSE-SU-2018:2699-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-8.0.53-29.13.1.noarch.rpm | Linux |
| SUSE-SU-2018:2699-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-admin-webapps-8.0.53-29.13.1.noarch.rpm | Linux |
| SUSE-SU-2018:2699-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-docs-webapp-8.0.53-29.13.1.noarch.rpm | Linux |
| SUSE-SU-2018:2699-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-el-3_0-api-8.0.53-29.13.1.noarch.rpm | Linux |
| SUSE-SU-2018:2699-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-javadoc-8.0.53-29.13.1.noarch.rpm | Linux |
| SUSE-SU-2018:2699-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-jsp-2_3-api-8.0.53-29.13.1.noarch.rpm | Linux |
| SUSE-SU-2018:2699-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-lib-8.0.53-29.13.1.noarch.rpm | Linux |
| SUSE-SU-2018:2699-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-servlet-3_1-api-8.0.53-29.13.1.noarch.rpm | Linux |
| SUSE-SU-2018:2699-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-webapps-8.0.53-29.13.1.noarch.rpm | Linux |
| tomcat8 security update(DSA-4596-1) tomcat8_8.5.50-0+deb9u1_all.deb | Linux |
| (RHSA-2019:1529) pki-deps:10.6 security update pki-servlet-container-9.0.7-14.module+el8.0.0+3248+9d514f3b.noarch.rpm | Linux |
| Python-nss-doc update (ELSA-2019-1529) python-nss-doc-1.0.1-10.module+el8.0.0+5231+3e842911.x86_64.rpm | Linux |
| Python3-nss update (ELSA-2019-1529) python3-nss-1.0.1-10.module+el8.0.0+5231+3e842911.x86_64.rpm | Linux |
| Apache-commons-collections update (ELSA-2019-1529) apache-commons-collections-3.2.2-10.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Apache-commons-lang update (ELSA-2019-1529) apache-commons-lang-2.6-21.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Bea-stax-api update (ELSA-2019-1529) bea-stax-api-1.2.0-16.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Glassfish-fastinfoset update (ELSA-2019-1529) glassfish-fastinfoset-1.2.13-9.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Glassfish-jaxb-api update (ELSA-2019-1529) glassfish-jaxb-api-2.2.12-8.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Glassfish-jaxb-core update (ELSA-2019-1529) glassfish-jaxb-core-2.2.11-11.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Glassfish-jaxb-runtime update (ELSA-2019-1529) glassfish-jaxb-runtime-2.2.11-11.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Glassfish-jaxb-txw2 update (ELSA-2019-1529) glassfish-jaxb-txw2-2.2.11-11.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Jackson-annotations update (ELSA-2019-1529) jackson-annotations-2.9.8-1.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Jackson-core update (ELSA-2019-1529) jackson-core-2.9.8-1.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Jackson-databind update (ELSA-2019-1529) jackson-databind-2.9.8-1.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Jackson-jaxrs-json-provider update (ELSA-2019-1529) jackson-jaxrs-json-provider-2.9.8-1.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Jackson-jaxrs-providers update (ELSA-2019-1529) jackson-jaxrs-providers-2.9.8-1.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Jackson-module-jaxb-annotations update (ELSA-2019-1529) jackson-module-jaxb-annotations-2.7.6-4.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Jakarta-commons-httpclient update (ELSA-2019-1529) jakarta-commons-httpclient-3.1-28.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Javassist update (ELSA-2019-1529) javassist-3.18.1-8.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Javassist-javadoc update (ELSA-2019-1529) javassist-javadoc-3.18.1-8.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Pki-servlet-4.0-api update (ELSA-2019-1529) pki-servlet-4.0-api-9.0.7-14.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Pki-servlet-container update (ELSA-2019-1529) pki-servlet-container-9.0.7-14.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| RelaxngDatatype update (ELSA-2019-1529) relaxngDatatype-2011.1-7.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Resteasy update (ELSA-2019-1529) resteasy-3.0.26-3.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Slf4j update (ELSA-2019-1529) slf4j-1.7.25-4.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Slf4j-jdk14 update (ELSA-2019-1529) slf4j-jdk14-1.7.25-4.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Stax-ex update (ELSA-2019-1529) stax-ex-1.7.7-8.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Velocity update (ELSA-2019-1529) velocity-1.7-24.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Xalan-j2 update (ELSA-2019-1529) xalan-j2-2.7.1-38.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Xerces-j2 update (ELSA-2019-1529) xerces-j2-2.11.0-34.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Xml-commons-apis update (ELSA-2019-1529) xml-commons-apis-1.4.01-25.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Xml-commons-resolver update (ELSA-2019-1529) xml-commons-resolver-1.2-26.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Xmlstreambuffer update (ELSA-2019-1529) xmlstreambuffer-1.5.4-8.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Xsom update (ELSA-2019-1529) xsom-0-19.20110809svn.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Update Tomcat to 9.5.14 (For Linux) | Linux |
| Update Tomcat to 9.5.5 (For Linux) | Linux |
| Update Tomcat to 9.5.7 (For Linux) | Linux |
| Update Tomcat to 9.5.8 (For Linux) | Linux |
| Update Tomcat to 9.6.10 (For Linux) | Linux |
| Update Tomcat to 9.6.3 (For Linux) | Linux |
| Update Tomcat to 9.6.4 (For Linux) | Linux |
| Update Tomcat to 9.6.7 (For Linux) | Linux |
| Update Tomcat to 9.6.8 (For Linux) | Linux |
| Update Tomcat to 2.4.5 (For Linux) | Linux |
| Update Tomcat to 3.0.14 (For Linux) | Linux |
| pki-deps:10.6 security update (RLSA-2019:1529) slf4j-1.7.25-4.module+el8.5.0+697+f586bb30.noarch.rpm | Linux |
| pki-deps:10.6 security update (RLSA-2019:1529) velocity-1.7-24.module+el8.3.0+53+ea062990.noarch.rpm | Linux |
| pki-deps:10.6 security update (RLSA-2019:1529) xalan-j2-2.7.1-38.module+el8.3.0+53+ea062990.noarch.rpm | Linux |
| pki-deps:10.6 security update (RLSA-2019:1529) javassist-3.18.1-8.module+el8.3.0+53+ea062990.noarch.rpm | Linux |
| pki-deps:10.6 security update (RLSA-2019:1529) xerces-j2-2.11.0-34.module+el8.3.0+53+ea062990.noarch.rpm | Linux |
| pki-deps:10.6 security update (RLSA-2019:1529) javassist-javadoc-3.18.1-8.module+el8.3.0+53+ea062990.noarch.rpm | Linux |
| pki-deps:10.6 security update (RLSA-2019:1529) apache-commons-lang-2.6-21.module+el8.3.0+53+ea062990.noarch.rpm | Linux |
| pki-deps:10.6 security update (RLSA-2019:1529) xml-commons-resolver-1.2-26.module+el8.3.0+53+ea062990.noarch.rpm | Linux |
| pki-deps:10.6 security update (RLSA-2019:1529) apache-commons-collections-3.2.2-10.module+el8.3.0+53+ea062990.noarch.rpm | Linux |
| pki-deps:10.6 security update (RLSA-2019:1529) jakarta-commons-httpclient-3.1-28.module+el8.3.0+53+ea062990.noarch.rpm | Linux |
| Apache-commons-collections update (ELSA-2024-3061) apache-commons-collections-3.2.2-10.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Apache-commons-lang update (ELSA-2024-3061) apache-commons-lang-2.6-21.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Apache-commons-net update (ELSA-2024-3061) apache-commons-net-3.6-3.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Bea-stax-api update (ELSA-2024-3061) bea-stax-api-1.2.0-16.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Fasterxml-oss-parent update (ELSA-2024-3061) fasterxml-oss-parent-49-1.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Glassfish-fastinfoset update (ELSA-2024-3061) glassfish-fastinfoset-1.2.13-9.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Glassfish-jaxb-api update (ELSA-2024-3061) glassfish-jaxb-api-2.2.12-8.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Glassfish-jaxb-core update (ELSA-2024-3061) glassfish-jaxb-core-2.2.11-12.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Glassfish-jaxb-runtime update (ELSA-2024-3061) glassfish-jaxb-runtime-2.2.11-12.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Glassfish-jaxb-txw2 update (ELSA-2024-3061) glassfish-jaxb-txw2-2.2.11-12.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Idm-jss update (ELSA-2024-3061) idm-jss-4.11.0-1.module+el8.10.0+90282+4ef18d4b.x86_64.rpm | Linux |
| Idm-jss-javadoc update (ELSA-2024-3061) idm-jss-javadoc-4.11.0-1.module+el8.10.0+90282+4ef18d4b.x86_64.rpm | Linux |
| Idm-ldapjdk update (ELSA-2024-3061) idm-ldapjdk-4.24.0-1.module+el8.10.0+90282+4ef18d4b.noarch.rpm | Linux |
| Idm-ldapjdk-javadoc update (ELSA-2024-3061) idm-ldapjdk-javadoc-4.24.0-1.module+el8.10.0+90282+4ef18d4b.noarch.rpm | Linux |
| Idm-pki-acme update (ELSA-2024-3061) idm-pki-acme-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.noarch.rpm | Linux |
| Idm-pki-base update (ELSA-2024-3061) idm-pki-base-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.noarch.rpm | Linux |
| Idm-pki-base-java update (ELSA-2024-3061) idm-pki-base-java-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.noarch.rpm | Linux |
| Idm-pki-ca update (ELSA-2024-3061) idm-pki-ca-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.noarch.rpm | Linux |
| Idm-pki-kra update (ELSA-2024-3061) idm-pki-kra-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.noarch.rpm | Linux |
| Idm-pki-server update (ELSA-2024-3061) idm-pki-server-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.noarch.rpm | Linux |
| Idm-pki-symkey update (ELSA-2024-3061) idm-pki-symkey-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.x86_64.rpm | Linux |
| Idm-pki-tools update (ELSA-2024-3061) idm-pki-tools-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.x86_64.rpm | Linux |
| Idm-tomcatjss update (ELSA-2024-3061) idm-tomcatjss-7.8.0-1.module+el8.10.0+90282+4ef18d4b.noarch.rpm | Linux |
| Jackson-annotations update (ELSA-2024-3061) jackson-annotations-2.14.2-1.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Jackson-bom update (ELSA-2024-3061) jackson-bom-2.14.2-1.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Jackson-core update (ELSA-2024-3061) jackson-core-2.14.2-1.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Jackson-databind update (ELSA-2024-3061) jackson-databind-2.14.2-1.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Jackson-jaxrs-json-provider update (ELSA-2024-3061) jackson-jaxrs-json-provider-2.14.2-1.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Jackson-jaxrs-providers update (ELSA-2024-3061) jackson-jaxrs-providers-2.14.2-1.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Jackson-module-jaxb-annotations update (ELSA-2024-3061) jackson-module-jaxb-annotations-2.14.2-2.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Jackson-modules-base update (ELSA-2024-3061) jackson-modules-base-2.14.2-2.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Jackson-parent update (ELSA-2024-3061) jackson-parent-2.14-1.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Jakarta-commons-httpclient update (ELSA-2024-3061) jakarta-commons-httpclient-3.1-28.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Javassist update (ELSA-2024-3061) javassist-3.18.1-8.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Javassist-javadoc update (ELSA-2024-3061) javassist-javadoc-3.18.1-8.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Pki-servlet-engine update (ELSA-2024-3061) pki-servlet-engine-9.0.62-1.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Python3-idm-pki update (ELSA-2024-3061) python3-idm-pki-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.noarch.rpm | Linux |
| RelaxngDatatype update (ELSA-2024-3061) relaxngDatatype-2011.1-7.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Resteasy update (ELSA-2024-3061) resteasy-3.0.26-7.module+el8.10.0+90282+4ef18d4b.noarch.rpm | Linux |
| Resteasy-javadoc update (ELSA-2024-3061) resteasy-javadoc-3.0.26-7.module+el8.10.0+90282+4ef18d4b.noarch.rpm | Linux |
| Slf4j update (ELSA-2024-3061) slf4j-1.7.25-4.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Slf4j-jdk14 update (ELSA-2024-3061) slf4j-jdk14-1.7.25-4.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Stax-ex update (ELSA-2024-3061) stax-ex-1.7.7-8.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Velocity update (ELSA-2024-3061) velocity-1.7-24.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Xalan-j2 update (ELSA-2024-3061) xalan-j2-2.7.1-38.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Xerces-j2 update (ELSA-2024-3061) xerces-j2-2.11.0-34.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Xml-commons-apis update (ELSA-2024-3061) xml-commons-apis-1.4.01-25.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Xml-commons-resolver update (ELSA-2024-3061) xml-commons-resolver-1.2-26.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Xmlstreambuffer update (ELSA-2024-3061) xmlstreambuffer-1.5.4-8.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Xsom update (ELSA-2024-3061) xsom-0-19.20110809svn.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Vulnerabilities CVE-2018-8037,CVE-2018-8034,CVE-2018-8014 are fixed in Apache - tomcat-embed-core for Linux 8.5.32 | Linux |
| Vulnerabilities CVE-2018-8034,CVE-2018-8014 are fixed in Apache - tomcat-embed-core for Linux 8.0.53 | Linux |
| Vulnerabilities CVE-2018-8014 are fixed in Apache - tomcat-embed-core for Linux 7.0.88 | Linux |
| Vulnerabilities CVE-2018-8014 are fixed in Apache - tomcat-embed-core for Linux 9.0.9 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234