CVE-2018-8014 High Severity Vulnerability detected by WhiteSource

[mend-bolt-for-github]

CVE-2018-8014 - High Severity Vulnerability

Vulnerable Library - tomcat-embed-core-8.5.31.jar

Core Tomcat implementation

path: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.31/tomcat-embed-core-8.5.31.jar

Library home page: http://tomcat.apache.org/

Dependency Hierarchy:

• spring-boot-starter-web-2.0.3.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-2.0.3.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.31.jar (Vulnerable Library)

Vulnerability Details

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Publish Date: 2018-05-16

URL: CVE-2018-8014

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1041888

Fix Resolution: The vendor has issued a fix as part of the Oracle Critical Patch Update Advisory - October 2018.

The vendor advisory is available at:

https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

---

Step up your Open Source Security Game with WhiteSource here