Apache Tomcat – Security Constraint Bypass CVE-2018-1336, CVE-2018-8034

Descripción:

Las opciones por defecto del filtro CORS provisto en Apache Tomcat tiene habilitada la configuración “supportsCredentials” para todos los orígenes, la cual es insegura en las versiones:
9.0.0.M1 a 9.08
8.5.0 a 8.5.31
8.0.0.RC1 a 8.0.52
7.0.35 a 7.0.88

CVE: CVE-2018-8034 CVE-2018-1336 CVE-2018-8014
Factor de Riesgo: Crítico
Valor CVSS Base: 9.8

Solución:
Se debe actualizar la aplicación Apache Tomcat a las siguientes versiones de forma inmediata:

Versiones vulnerables	Actualizar a versión
9.0.0.M1 a 9.08	9.0.10 o superior
8.5.0 a 8.5.31	8.5.32 o superior
8.0.0.RC1 a 8.0.52	8.0.53 o superior
7.0.35 a 7.0.88	7.0.90 o superior

Referencias:
http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722091057.GA70283@minotaur.apache.org%3E

https://www.rapid7.com/db/vulnerabilities/apache-tomcat-cve-2018-8014

https://nvd.nist.gov/vuln/detail/CVE-2018-8014

https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2018-8014#

https://tomcat.apache.org/security-8.html

Apache Tomcat – Security Constraint Bypass CVE-2018-1336, CVE-2018-8034

Apache Tomcat – Security Constraint Bypass CVE-2018-1336, CVE-2018-8034

No Comment

Leave A Comment

Microsoft DNS Server Remote Code Execution (SIGRed) (CVE-2020-1350)

Oracle Database Multiple Vulnerabilities (CPU)

MS05-051: Vulnerabilities in MSDTC Could Allow Remote Code Execution (902400) (uncredentialed check)

MS06-018: Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow DoS (913580) (uncredentialed check)

Oracle GlassFish Server Administrative Console Authentication Bypass

Apache Tomcat – Security Constraint Bypass CVE-2018-1336, CVE-2018-8034

No Comment

Leave A Comment

You may also like