CVE-2018-8014
CORS Misconfiguration vulnerability in tomcat-embed-core (Maven)
What is CVE-2018-8014 About?
Apache Tomcat versions 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.41 to 7.0.88 contain insecure default settings for the CORS filter. This vulnerability enables 'supportsCredentials' for all origins, potentially leading to security Bypass. Exploitation relies on applications using the default, insecure configuration.
Affected Software
- org.apache.tomcat.embed:tomcat-embed-core
- >8.0.0RC1, <8.0.53
- >8.5.0, <8.5.32
- >9.0.0.M1, <9.0.9
- >7.0.41, <7.0.88
Technical Details
The default configuration for the CORS filter in affected Apache Tomcat versions sets supportsCredentials to true and allows all origins (''). This combination is insecure because supportsCredentials being true tells browsers to expose responses to JavaScript code even when the Access-Control-Allow-Origin header is wildcarded. Normally, a wildcard origin (`) with supportsCredentialsset totrue` should alert browsers to disallow the request due to security concerns outlined in the CORS specification. However, due to this misconfiguration, browsers might proceed with requests that include credentials (like cookies or HTTP authentication headers) to any origin, effectively bypassing the same-origin policy and potentially exposing sensitive user data to malicious sites if client-side code interacts with the affected Tomcat instance.
What is the Impact of CVE-2018-8014?
Successful exploitation may allow attackers to bypass cross-origin security policies, potentially leading to information disclosure, unauthorized access, or cross-site request forgery attacks.
What is the Exploitability of CVE-2018-8014?
Exploitation complexity is moderate, requiring an attacker to host a malicious website that performs cross-origin requests to the vulnerable Tomcat instance. There are no authentication or privilege requirements to exploit the misconfiguration itself, as the flaw lies in how the server responds to CORS preflight requests. The attack is remote. A key prerequisite is that an application deployed on Tomcat must be accessed by users who can then be tricked into visiting a malicious site. The likelihood of exploitation is increased if administrators use the default CORS filter configuration without customization, or if the Tomcat instance processes sensitive user data that could be leaked via credentialed requests.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-8014?
Available Upgrade Options
- org.apache.tomcat.embed:tomcat-embed-core
- >7.0.41, <7.0.88 → Upgrade to 7.0.88
- org.apache.tomcat.embed:tomcat-embed-core
- >8.0.0RC1, <8.0.53 → Upgrade to 8.0.53
- org.apache.tomcat.embed:tomcat-embed-core
- >8.5.0, <8.5.32 → Upgrade to 8.5.32
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0.M1, <9.0.9 → Upgrade to 9.0.9
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E
- https://github.com/apache/tomcat80/commit/2c9d8433bd3247a2856d4b2555447108758e813e
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E
- https://access.redhat.com/errata/RHSA-2018:3768
- https://github.com/apache/tomcat/commit/d83a76732e6804739b81d8b2056365307637b42d
- https://seclists.org/bugtraq/2019/Dec/43
What are Similar Vulnerabilities to CVE-2018-8014?
Similar Vulnerabilities: CVE-2020-9484 , CVE-2020-13936 , CVE-2021-25122 , CVE-2021-42340 , CVE-2022-23131
