Is CVE-2018-8014 known to be exploited?

6 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Software Foundation Tomcat

CVE-2018-8014

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the C…

EPSS: 0.612 (98.3th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Tomcat — versions 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52

Public proof-of-concept exploits

References

tomcat.apache.org/security-9.html (x_refsource_CONFIRM)
RHSA-2019:0451 (vendor-advisory, x_refsource_REDHAT)
tomcat.apache.org/security-7.html (x_refsource_CONFIRM)
RHSA-2018:2469 (vendor-advisory, x_refsource_REDHAT)
1041888 (vdb-entry, x_refsource_SECTRACK)
USN-3665-1 (vendor-advisory, x_refsource_UBUNTU)
tomcat.apache.org/security-8.html (x_refsource_CONFIRM)
RHSA-2018:2470 (vendor-advisory, x_refsource_REDHAT)
www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html (x_refsource_CONFIRM)
security.netapp.com/advisory/ntap-20181018-0002/ (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2018-8014?: CVE-2018-8014 is a vulnerability in Apache Software Foundation Tomcat. Published 2018-05-16.
Is CVE-2018-8014 known to be exploited?: 6 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.