CVE-2018-8014 (High) detected in tomcat-embed-core-8.0.20.jar

[mend-for-github-com[bot]]

CVE-2018-8014 - High Severity Vulnerability

Vulnerable Library - tomcat-embed-core-8.0.20.jar

Core Tomcat implementation

Dependency Hierarchy:

• spring-boot-starter-tomcat-1.2.3.RELEASE.jar (Root Library)
  • :x: tomcat-embed-core-8.0.20.jar (Vulnerable Library)

Found in HEAD commit: 02e23e894c65d5a9ac94fe97a3b06758376ae333

Vulnerability Details

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Publish Date: 2018-05-16

URL: CVE-2018-8014

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014

Release Date: 2018-05-16

Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:9.0.10,8.5.32,8.0.53,7.0.90,org.apache.tomcat:tomcat-catalina:9.0.10,8.5.32,8.0.53,7.0.90