Rick Riemer

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 9.0.0.M1 through 9.0.0.M21 Apache Tomcat versions 8.5.0 through 8.5.15 Apache Tomcat versions 8.0.0.RC1 through 8.0.44 Apache Tomcat versions 7.0.41 through 7.0.78 **Description** The issue is related to the CORS Filter in Apache Tomcat, which did not add an HTTP Vary header indicating that the response varies depending on Origin. This allowed for client and server-side cache poisoning in certain circumstances. The vulnerability is caused by incorrect authentication of data and can be exploited by a remote attacker to infect clients and servers under specific conditions. **Recommendations** For Apache Tomcat versions 9.0.0.M1 through 9.0.0.M21, update to a version that includes the fix for the CORS Filter issue. For Apache Tomcat versions 8.5.0 through 8.5.15, update to a version that includes the fix for the CORS Filter issue. For Apache Tomcat versions 8.0.0.RC1 through 8.0.44, update to a version that includes the fix for the CORS Filter issue. For Apache Tomcat versions 7.0.41 through 7.0.78, update to a version that includes the fix for the CORS Filter issue. As a temporary workaround, consider restricting access to the CORS Filter until a patch is available.