CVE-2018-8014

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable supportsCredentials for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Weakness

The product initializes or sets a resource with a default that is intended to be changed by the product’s installer, administrator, or maintainer, but the default is not secure.

Affected Software

Name	Vendor	Start Version	End Version
Tomcat	Apache	7.0.41 (including)	7.0.88 (including)
Tomcat	Apache	8.0.0 (including)	8.0.52 (including)
Tomcat	Apache	8.5.0 (including)	8.5.31 (including)
Tomcat	Apache	9.0.0 (including)	9.0.8 (including)
Tomcat	Apache	8.0.0-rc1 (including)	8.0.0-rc1 (including)
Tomcat	Apache	9.0.0-milestone1 (including)	9.0.0-milestone1 (including)
Red Hat Enterprise Linux 7	RedHat	tomcat-0:7.0.76-9.el7	*
Red Hat Enterprise Linux 8	RedHat	pki-deps:10.6-8000020190524054914.55190bc5	*
Red Hat Fuse 7.2	RedHat	tomcat	*
Red Hat JBoss Web Server 3.1	RedHat	tomcat7	*
Red Hat JBoss Web Server 3.1	RedHat	tomcat8	*
Red Hat JBoss Web Server 3 for RHEL 6	RedHat	tomcat7-0:7.0.70-27.ep7.el6	*
Red Hat JBoss Web Server 3 for RHEL 6	RedHat	tomcat8-0:8.0.36-31.ep7.el6	*
Red Hat JBoss Web Server 3 for RHEL 6	RedHat	tomcat-native-0:1.2.17-17.redhat_17.ep7.el6	*
Red Hat JBoss Web Server 3 for RHEL 7	RedHat	tomcat7-0:7.0.70-27.ep7.el7	*
Red Hat JBoss Web Server 3 for RHEL 7	RedHat	tomcat8-0:8.0.36-31.ep7.el7	*
Red Hat JBoss Web Server 3 for RHEL 7	RedHat	tomcat-native-0:1.2.17-17.redhat_17.ep7.el7	*
Red Hat JBoss Web Server 5.0	RedHat	tomcat	*
Red Hat JBoss Web Server 5.0 on RHEL 6	RedHat	jws5-ecj-0:4.6.1-6.redhat_1.1.el6jws	*
Red Hat JBoss Web Server 5.0 on RHEL 6	RedHat	jws5-javapackages-tools-0:3.4.1-5.15.10.el6jws	*
Red Hat JBoss Web Server 5.0 on RHEL 6	RedHat	jws5-jboss-logging-0:3.3.1-5.Final_redhat_1.1.el6jws	*
Red Hat JBoss Web Server 5.0 on RHEL 6	RedHat	jws5-mod_cluster-0:1.4.0-9.Final_redhat_1.1.el6jws	*
Red Hat JBoss Web Server 5.0 on RHEL 6	RedHat	jws5-tomcat-0:9.0.7-17.redhat_16.1.el6jws	*
Red Hat JBoss Web Server 5.0 on RHEL 6	RedHat	jws5-tomcat-native-0:1.2.17-26.redhat_26.el6jws	*
Red Hat JBoss Web Server 5.0 on RHEL 6	RedHat	jws5-tomcat-vault-0:1.1.7-5.Final_redhat_2.1.el6jws	*
Red Hat JBoss Web Server 5.0 on RHEL 7	RedHat	jws5-ecj-0:4.6.1-6.redhat_1.1.el7jws	*
Red Hat JBoss Web Server 5.0 on RHEL 7	RedHat	jws5-javapackages-tools-0:3.4.1-5.15.10.el7jws	*
Red Hat JBoss Web Server 5.0 on RHEL 7	RedHat	jws5-jboss-logging-0:3.3.1-5.Final_redhat_1.1.el7jws	*
Red Hat JBoss Web Server 5.0 on RHEL 7	RedHat	jws5-mod_cluster-0:1.4.0-9.Final_redhat_1.1.el7jws	*
Red Hat JBoss Web Server 5.0 on RHEL 7	RedHat	jws5-tomcat-0:9.0.7-17.redhat_16.1.el7jws	*
Red Hat JBoss Web Server 5.0 on RHEL 7	RedHat	jws5-tomcat-native-0:1.2.17-26.redhat_26.el7jws	*
Red Hat JBoss Web Server 5.0 on RHEL 7	RedHat	jws5-tomcat-vault-0:1.1.7-5.Final_redhat_2.1.el7jws	*
Tomcat7	Ubuntu	esm-apps/xenial	*
Tomcat7	Ubuntu	esm-infra-legacy/trusty	*
Tomcat7	Ubuntu	trusty	*
Tomcat7	Ubuntu	trusty/esm	*
Tomcat7	Ubuntu	upstream	*
Tomcat7	Ubuntu	xenial	*
Tomcat8	Ubuntu	artful	*
Tomcat8	Ubuntu	bionic	*
Tomcat8	Ubuntu	cosmic	*
Tomcat8	Ubuntu	esm-apps/bionic	*
Tomcat8	Ubuntu	esm-infra/xenial	*
Tomcat8	Ubuntu	upstream	*
Tomcat8	Ubuntu	xenial	*
Tomcat8.0	Ubuntu	artful	*
Tomcat8.0	Ubuntu	upstream	*

https://cwe.mitre.org/data/definitions/665.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2018-8014
CWE	https://cwe.mitre.org/data/definitions/1188.html

Initialization of a Resource with an Insecure Default

Weakness

Affected Software

References

CVE-2018-8014

Initialization of a Resource with an Insecure Default

Weakness

Affected Software

Related Attack Patterns

References