| Name | CVE-2018-8014 |
| Description | The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-1400-1, DLA-1883-1, DSA-4596-1 |
| Debian Bugs | 898935 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| tomcat7 (PTS) | jessie, jessie (lts) | 7.0.56-3+really7.0.109-1+deb8u6 | fixed |
| stretch | 7.0.75-1 | fixed | |
| tomcat8 (PTS) | jessie, jessie (lts) | 8.0.14-1+deb8u28 | fixed |
| stretch (security) | 8.5.54-0+deb9u8 | fixed | |
| stretch (lts), stretch | 8.5.54-0+deb9u15 | fixed | |
| tomcat9 (PTS) | buster (security), buster, buster (lts) | 9.0.31-1~deb10u12 | fixed |
| bullseye (security), bullseye | 9.0.43-2~deb11u10 | fixed | |
| bookworm | 9.0.70-2 | fixed | |
| sid, trixie | 9.0.95-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| tomcat7 | source | wheezy | (not affected) | |||
| tomcat7 | source | jessie | 7.0.56-3+really7.0.88-1 | DLA-1400-1 | ||
| tomcat7 | source | (unstable) | 7.0.72-3 | |||
| tomcat8 | source | jessie | 8.0.14-1+deb8u15 | DLA-1883-1 | ||
| tomcat8 | source | stretch | 8.5.50-0+deb9u1 | DSA-4596-1 | ||
| tomcat8 | source | (unstable) | 8.5.32-1 | 898935 | ||
| tomcat8.0 | source | (unstable) | (unfixed) | unimportant | ||
| tomcat9 | source | (unstable) | (not affected) |
- tomcat9 <not-affected> (Fixed before initial upload to Debian)
tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java
[wheezy] - tomcat7 <not-affected> (vulnerable code not present)
Since 7.0.72-3, src:tomcat7 only builds the Servlet API
https://svn.apache.org/r1831728 (8.5.x)
https://svn.apache.org/r1831729 (8.0.x)
https://svn.apache.org/r1831730 (7.0.x)
https://bz.apache.org/bugzilla/show_bug.cgi?id=62343
It is expected that users of the CORS filter will have configured it appropriately
for their einvironment rather than using it in the default configuration