CVE-2018-8034

Summary

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Tomcat9.0.0.M1 to 9.0.9affected
Apache Software FoundationApache Tomcat8.5.0 to 8.5.31affected
Apache Software FoundationApache Tomcat8.0.0.RC1 to 8.0.52affected
Apache Software FoundationApache Tomcat7.0.35 to 7.0.88affected

Weaknesses

  • Security Constraint Bypass

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References