CVE-2018-8034

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name	Vendor	Start Version	End Version
Tomcat	Apache	7.0.35 (including)	7.0.88 (including)
Tomcat	Apache	8.0.0 (including)	8.0.52 (including)
Tomcat	Apache	8.5.0 (including)	8.5.31 (including)
Tomcat	Apache	9.0.1 (including)	9.0.9 (including)
Tomcat	Apache	8.0.0-rc1 (including)	8.0.0-rc1 (including)
Tomcat	Apache	8.0.0-rc10 (including)	8.0.0-rc10 (including)
Tomcat	Apache	8.0.0-rc2 (including)	8.0.0-rc2 (including)
Tomcat	Apache	8.0.0-rc3 (including)	8.0.0-rc3 (including)
Tomcat	Apache	8.0.0-rc4 (including)	8.0.0-rc4 (including)
Tomcat	Apache	8.0.0-rc5 (including)	8.0.0-rc5 (including)
Tomcat	Apache	8.0.0-rc6 (including)	8.0.0-rc6 (including)
Tomcat	Apache	8.0.0-rc7 (including)	8.0.0-rc7 (including)
Tomcat	Apache	8.0.0-rc8 (including)	8.0.0-rc8 (including)
Tomcat	Apache	8.0.0-rc9 (including)	8.0.0-rc9 (including)
Tomcat	Apache	9.0.0-milestone1 (including)	9.0.0-milestone1 (including)
Tomcat	Apache	9.0.0-milestone10 (including)	9.0.0-milestone10 (including)
Tomcat	Apache	9.0.0-milestone11 (including)	9.0.0-milestone11 (including)
Tomcat	Apache	9.0.0-milestone12 (including)	9.0.0-milestone12 (including)
Tomcat	Apache	9.0.0-milestone13 (including)	9.0.0-milestone13 (including)
Tomcat	Apache	9.0.0-milestone14 (including)	9.0.0-milestone14 (including)
Tomcat	Apache	9.0.0-milestone15 (including)	9.0.0-milestone15 (including)
Tomcat	Apache	9.0.0-milestone16 (including)	9.0.0-milestone16 (including)
Tomcat	Apache	9.0.0-milestone17 (including)	9.0.0-milestone17 (including)
Tomcat	Apache	9.0.0-milestone18 (including)	9.0.0-milestone18 (including)
Tomcat	Apache	9.0.0-milestone19 (including)	9.0.0-milestone19 (including)
Tomcat	Apache	9.0.0-milestone2 (including)	9.0.0-milestone2 (including)
Tomcat	Apache	9.0.0-milestone20 (including)	9.0.0-milestone20 (including)
Tomcat	Apache	9.0.0-milestone21 (including)	9.0.0-milestone21 (including)
Tomcat	Apache	9.0.0-milestone22 (including)	9.0.0-milestone22 (including)
Tomcat	Apache	9.0.0-milestone23 (including)	9.0.0-milestone23 (including)
Tomcat	Apache	9.0.0-milestone24 (including)	9.0.0-milestone24 (including)
Tomcat	Apache	9.0.0-milestone25 (including)	9.0.0-milestone25 (including)
Tomcat	Apache	9.0.0-milestone26 (including)	9.0.0-milestone26 (including)
Tomcat	Apache	9.0.0-milestone27 (including)	9.0.0-milestone27 (including)
Tomcat	Apache	9.0.0-milestone3 (including)	9.0.0-milestone3 (including)
Tomcat	Apache	9.0.0-milestone4 (including)	9.0.0-milestone4 (including)
Tomcat	Apache	9.0.0-milestone5 (including)	9.0.0-milestone5 (including)
Tomcat	Apache	9.0.0-milestone6 (including)	9.0.0-milestone6 (including)
Tomcat	Apache	9.0.0-milestone7 (including)	9.0.0-milestone7 (including)
Tomcat	Apache	9.0.0-milestone8 (including)	9.0.0-milestone8 (including)
Tomcat	Apache	9.0.0-milestone9 (including)	9.0.0-milestone9 (including)

NVD	https://nvd.nist.gov/vuln/detail/CVE-2018-8034
CWE	https://cwe.mitre.org/data/definitions/295.html

Improper Certificate Validation

Weakness

Affected Software

Potential Mitigations

References

CVE-2018-8034

Improper Certificate Validation

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References