Critical severity9.8NVD Advisory· Published May 16, 2018· Updated Jun 17, 2026
CVE-2018-8014
CVE-2018-8014
Description
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 9.0.0.M1, < 9.0.9 | 9.0.9 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 8.5.0, < 8.5.32 | 8.5.32 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 8.0.0RC1, < 8.0.53 | 8.0.53 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 7.0.41, < 7.0.88 | 7.0.88 |
Affected products
35- ghsa-coords34 versionspkg:maven/org.apache.tomcat.embed/tomcat-embed-corepkg:rpm/almalinux/apache-commons-collectionspkg:rpm/almalinux/apache-commons-langpkg:rpm/almalinux/bea-stax-apipkg:rpm/almalinux/glassfish-fastinfosetpkg:rpm/almalinux/glassfish-jaxb-apipkg:rpm/almalinux/glassfish-jaxb-corepkg:rpm/almalinux/glassfish-jaxb-runtimepkg:rpm/almalinux/glassfish-jaxb-txw2pkg:rpm/almalinux/jackson-module-jaxb-annotationspkg:rpm/almalinux/jakarta-commons-httpclientpkg:rpm/almalinux/javassistpkg:rpm/almalinux/javassist-javadocpkg:rpm/almalinux/python3-nsspkg:rpm/almalinux/python-nss-docpkg:rpm/almalinux/relaxngDatatypepkg:rpm/almalinux/slf4jpkg:rpm/almalinux/slf4j-jdk14pkg:rpm/almalinux/stax-expkg:rpm/almalinux/velocitypkg:rpm/almalinux/xalan-j2pkg:rpm/almalinux/xerces-j2pkg:rpm/almalinux/xml-commons-apispkg:rpm/almalinux/xml-commons-resolverpkg:rpm/almalinux/xmlstreambufferpkg:rpm/almalinux/xsompkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3
>= 9.0.0.M1, < 9.0.9+ 33 more
- (no CPE)range: >= 9.0.0.M1, < 9.0.9
- (no CPE)range: < 3.2.2-10.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.6-21.module_el8.5.0+150+5f0dbea0
- (no CPE)range: < 1.2.0-16.module_el8.5.0+150+5f0dbea0
- (no CPE)range: < 1.2.13-9.module_el8.5.0+150+5f0dbea0
- (no CPE)range: < 2.2.12-8.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.2.11-11.module_el8.5.0+150+5f0dbea0
- (no CPE)range: < 2.2.11-11.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.2.11-11.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.7.6-4.module_el8.5.0+150+5f0dbea0
- (no CPE)range: < 1:3.1-28.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 3.18.1-8.module_el8.5.0+150+5f0dbea0
- (no CPE)range: < 3.18.1-8.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.0.1-10.module_el8.5.0+150+5f0dbea0.alma
- (no CPE)range: < 1.0.1-10.module_el8.5.0+150+5f0dbea0.alma
- (no CPE)range: < 2011.1-7.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.7.25-4.module_el8.6.0+2752+f1f3449e
- (no CPE)range: < 1.7.25-4.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.7.7-8.module_el8.5.0+150+5f0dbea0
- (no CPE)range: < 1.7-24.module_el8.5.0+150+5f0dbea0
- (no CPE)range: < 2.7.1-38.module_el8.5.0+150+5f0dbea0
- (no CPE)range: < 2.11.0-34.module_el8.5.0+150+5f0dbea0
- (no CPE)range: < 1.4.01-25.module_el8.5.0+150+5f0dbea0
- (no CPE)range: < 1.2-26.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.5.4-8.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 0-19.20110809svn.module_el8.5.0+150+5f0dbea0
- (no CPE)range: < 10.1.14-1.1
- (no CPE)range: < 9.0.36-8.4
- (no CPE)range: < 9.0.10-3.7.1
- (no CPE)range: < 8.0.53-10.35.1
- (no CPE)range: < 8.0.53-29.13.1
- (no CPE)range: < 7.0.90-7.23.1
- (no CPE)range: < 8.0.53-10.35.1
- (no CPE)range: < 8.0.53-29.13.1
- Apache Software Foundation/Apache Tomcatv5Range: 9.0.0.M1 to 9.0.8
Patches
Vulnerability mechanics
References
68- www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlnvdPatchThird Party AdvisoryWEB
- security.netapp.com/advisory/ntap-20181018-0002/nvdPatchThird Party Advisory
- tomcat.apache.org/security-7.htmlnvdVendor AdvisoryWEB
- tomcat.apache.org/security-8.htmlnvdVendor AdvisoryWEB
- tomcat.apache.org/security-9.htmlnvdVendor AdvisoryWEB
- www.securityfocus.com/bid/104203nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1040998nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1041888nvdThird Party AdvisoryVDB Entry
- access.redhat.com/errata/RHSA-2018:2469nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:2470nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:3768nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2019:0450nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2019:0451nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-r4x2-3cq5-hqvpghsaADVISORY
- lists.debian.org/debian-lts-announce/2018/06/msg00008.htmlnvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2018-8014ghsaADVISORY
- usn.ubuntu.com/3665-1/nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2019:1529nvdWEB
- access.redhat.com/errata/RHSA-2019:2205nvdWEB
- github.com/apache/tomcat/commit/5877390a9605f56d9bd6859a54ccbfb16374a78bghsaWEB
- github.com/apache/tomcat/commit/60f596a21fd6041335a3a1a4015d4512439cecb5ghsaWEB
- github.com/apache/tomcat/commit/d83a76732e6804739b81d8b2056365307637b42dghsaWEB
- github.com/apache/tomcat80/commit/2c9d8433bd3247a2856d4b2555447108758e813eghsaWEB
- lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3EnvdWEB
- lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/fbfb713e4f8a4c0f81089b89450828011343593800cae3fb629192b1%40%3Cannounce.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/fbfb713e4f8a4c0f81089b89450828011343593800cae3fb629192b1@%3Cannounce.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2019/08/msg00015.htmlnvdWEB
- seclists.org/bugtraq/2019/Dec/43nvdWEB
- security.netapp.com/advisory/ntap-20181018-0002ghsaWEB
- usn.ubuntu.com/3665-1ghsaWEB
- web.archive.org/web/20181017143233/http://www.securityfocus.com/bid/104203ghsaWEB
- web.archive.org/web/20201207080723/http://www.securitytracker.com/id/1041888ghsaWEB
- web.archive.org/web/20201207101131/http://www.securitytracker.com/id/1040998ghsaWEB
- www.debian.org/security/2019/dsa-4596nvdWEB
- www.oracle.com/security-alerts/cpuapr2020.htmlnvdWEB
News mentions
0No linked articles in our index yet.