Insecure Default Initialization of Resource Affecting tomcat-jsp-2_3-api package, versions <9.0.10-3.7.1
Snyk CVSS
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-SLES150-TOMCATJSP23API-2760058
- published 14 Apr 2022
- disclosed 28 Nov 2018
Introduced: 28 Nov 2018
CVE-2018-8014 Open this link in a new tabHow to fix?
Upgrade SLES:15.0
tomcat-jsp-2_3-api
to version 9.0.10-3.7.1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream tomcat-jsp-2_3-api
package and not the tomcat-jsp-2_3-api
package as distributed by SLES:15.0
.
See How to fix?
for SLES:15.0
relevant fixed versions and status.
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
References
- CVE-2018-8014
- E-Mail link for SUSE-SU-2018:3011-1
- Link for SUSE-SU-2018:3011-1
- SUSE Bug 1067720
- SUSE Bug 1093697
- SUSE Bug 1102379
- SUSE Bug 1102400
- SUSE Bug 1102410
- SUSE CVE CVE-2018-1336 page
- SUSE CVE CVE-2018-8014 page
- SUSE CVE CVE-2018-8034 page
- SUSE CVE CVE-2018-8037 page
- SUSE Security Ratings
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org