CVE-2018-8014

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 9.0.0.M1 through 9.0.8 Apache Tomcat versions 8.5.0 through 8.5.31 Apache Tomcat versions 8.0.0.RC1 through 8.0.52 Apache Tomcat versions 7.0.41 through 7.0.88

Description The issue is related to insufficient access control in the CORS component of the Apache Tomcat servlet container. This could allow a remote attacker to gain unauthorized access to protected data using the HTTP protocol. The default settings for the CORS filter are insecure, enabling supportsCredentials for all origins. However, it is expected that most users will not be impacted as they would have configured the filter according to their environment.

Recommendations For Apache Tomcat versions 9.0.0.M1 through 9.0.8, consider configuring the CORS filter to restrict supportsCredentials to specific origins. For Apache Tomcat versions 8.5.0 through 8.5.31, configure the CORS filter to limit supportsCredentials to necessary domains. For Apache Tomcat versions 8.0.0.RC1 through 8.0.52, adjust the CORS filter settings to securely manage supportsCredentials. For Apache Tomcat versions 7.0.41 through 7.0.88, update the CORS filter configuration to properly restrict supportsCredentials for all origins.