The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable supportsCredentials for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Tomcat | Apache | 7.0.41 (including) | 7.0.88 (including) |
| Tomcat | Apache | 8.0.0 (including) | 8.0.52 (including) |
| Tomcat | Apache | 8.5.0 (including) | 8.5.31 (including) |
| Tomcat | Apache | 9.0.0 (including) | 9.0.8 (including) |
| Tomcat | Apache | 8.0.0-rc1 (including) | 8.0.0-rc1 (including) |
| Tomcat | Apache | 9.0.0-milestone1 (including) | 9.0.0-milestone1 (including) |
| Red Hat Enterprise Linux 7 | RedHat | tomcat-0:7.0.76-9.el7 | * |
| Red Hat Enterprise Linux 8 | RedHat | pki-deps:10.6-8000020190524054914.55190bc5 | * |
| Red Hat Fuse 7.2 | RedHat | tomcat | * |
| Red Hat JBoss Web Server 3.1 | RedHat | tomcat7 | * |
| Red Hat JBoss Web Server 3.1 | RedHat | tomcat8 | * |
| Red Hat JBoss Web Server 3 for RHEL 6 | RedHat | tomcat7-0:7.0.70-27.ep7.el6 | * |
| Red Hat JBoss Web Server 3 for RHEL 6 | RedHat | tomcat8-0:8.0.36-31.ep7.el6 | * |
| Red Hat JBoss Web Server 3 for RHEL 6 | RedHat | tomcat-native-0:1.2.17-17.redhat_17.ep7.el6 | * |
| Red Hat JBoss Web Server 3 for RHEL 7 | RedHat | tomcat7-0:7.0.70-27.ep7.el7 | * |
| Red Hat JBoss Web Server 3 for RHEL 7 | RedHat | tomcat8-0:8.0.36-31.ep7.el7 | * |
| Red Hat JBoss Web Server 3 for RHEL 7 | RedHat | tomcat-native-0:1.2.17-17.redhat_17.ep7.el7 | * |
| Red Hat JBoss Web Server 5.0 | RedHat | * | |
| Red Hat JBoss Web Server 5.0 on RHEL 6 | RedHat | jws5-ecj-0:4.6.1-6.redhat_1.1.el6jws | * |
| Red Hat JBoss Web Server 5.0 on RHEL 6 | RedHat | jws5-javapackages-tools-0:3.4.1-5.15.10.el6jws | * |
| Red Hat JBoss Web Server 5.0 on RHEL 6 | RedHat | jws5-jboss-logging-0:3.3.1-5.Final_redhat_1.1.el6jws | * |
| Red Hat JBoss Web Server 5.0 on RHEL 6 | RedHat | jws5-mod_cluster-0:1.4.0-9.Final_redhat_1.1.el6jws | * |
| Red Hat JBoss Web Server 5.0 on RHEL 6 | RedHat | jws5-tomcat-0:9.0.7-17.redhat_16.1.el6jws | * |
| Red Hat JBoss Web Server 5.0 on RHEL 6 | RedHat | jws5-tomcat-native-0:1.2.17-26.redhat_26.el6jws | * |
| Red Hat JBoss Web Server 5.0 on RHEL 6 | RedHat | jws5-tomcat-vault-0:1.1.7-5.Final_redhat_2.1.el6jws | * |
| Red Hat JBoss Web Server 5.0 on RHEL 7 | RedHat | jws5-ecj-0:4.6.1-6.redhat_1.1.el7jws | * |
| Red Hat JBoss Web Server 5.0 on RHEL 7 | RedHat | jws5-javapackages-tools-0:3.4.1-5.15.10.el7jws | * |
| Red Hat JBoss Web Server 5.0 on RHEL 7 | RedHat | jws5-jboss-logging-0:3.3.1-5.Final_redhat_1.1.el7jws | * |
| Red Hat JBoss Web Server 5.0 on RHEL 7 | RedHat | jws5-mod_cluster-0:1.4.0-9.Final_redhat_1.1.el7jws | * |
| Red Hat JBoss Web Server 5.0 on RHEL 7 | RedHat | jws5-tomcat-0:9.0.7-17.redhat_16.1.el7jws | * |
| Red Hat JBoss Web Server 5.0 on RHEL 7 | RedHat | jws5-tomcat-native-0:1.2.17-26.redhat_26.el7jws | * |
| Red Hat JBoss Web Server 5.0 on RHEL 7 | RedHat | jws5-tomcat-vault-0:1.1.7-5.Final_redhat_2.1.el7jws | * |
| Tomcat7 | Ubuntu | esm-apps/xenial | * |
| Tomcat7 | Ubuntu | trusty | * |
| Tomcat7 | Ubuntu | upstream | * |
| Tomcat7 | Ubuntu | xenial | * |
| Tomcat8 | Ubuntu | artful | * |
| Tomcat8 | Ubuntu | bionic | * |
| Tomcat8 | Ubuntu | cosmic | * |
| Tomcat8 | Ubuntu | upstream | * |
| Tomcat8 | Ubuntu | xenial | * |
| Tomcat8.0 | Ubuntu | artful | * |
| Tomcat8.0 | Ubuntu | upstream | * |
Developers often choose default values that leave the product as open and easy to use as possible out-of-the-box, under the assumption that the administrator can (or should) change the default value. However, this ease-of-use comes at a cost when the default is insecure and the administrator does not change it.