Insecure Default Initialization of Resource Affecting tomcat7-docs-webapp package, versions <0:7.0.90-1.33.amzn1


Severity

Recommended
high

Based on Amazon Linux security rating.

Threat Intelligence

EPSS
14.81% (96th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-AMZN201803-TOMCAT7DOCSWEBAPP-1715209
  • published27 Sept 2021
  • disclosed16 May 2018

Introduced: 16 May 2018

CVE-2018-8014  (opens in a new tab)
CWE-1188  (opens in a new tab)

How to fix?

Upgrade Amazon-Linux:2018.03 tomcat7-docs-webapp to version 0:7.0.90-1.33.amzn1 or higher.
This issue was patched in ALAS-2018-1055.

NVD Description

Note: Versions mentioned in the description apply only to the upstream tomcat7-docs-webapp package and not the tomcat7-docs-webapp package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2018.03 relevant fixed versions and status.

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

References