CVE-2018-8014
The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins
Description
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
How to fix CVE-2018-8014
To remediate CVE-2018-8014, upgrade the affected package to a fixed version below.
- —upgrade to 9.0.9 or later
Is CVE-2018-8014 being exploited?
Likely — EPSS is 61.2%, placing CVE-2018-8014 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (1)
- >= 9.0.0.M1, < 9.0.9
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |