Information disclosure in Apache Tomcat - CVE-2018-8014
Published: May 17, 2018 / Updated: July 25, 2018
Vulnerability identifier: #VU12798
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-8014
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Tomcat
Apache Tomcat
Detailed vulnerability description
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to the defaults settings for the CORS filter are insecure and enable
supportsCredentials for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. A remote attacker can access important data.How to mitigate CVE-2018-8014
Update to version 8.0.53 or 8.5.32.
Update to version 9.0.9.
Update to version 9.0.9.