CVE-2018-8034 (CNNVD-201807-1992)
HIGH
中文标题:
Apache Tomcat 信任管理问题漏洞
英文标题:
The host name verification when using TLS with the WebSocket client was missing. It is now enabled b...
CVSS分数:
7.5
发布时间:
2018-08-01 18:00:00
漏洞类型:
信任管理问题
状态:
PUBLISHED
数据质量分数:
0.30
数据版本:
v3
漏洞描述
中文描述:
Apache Tomcat是美国阿帕奇(Apache)软件基金会下属的Jakarta项目的一款轻量级Web应用服务器,它主要用于开发和调试JSP程序,适用于中小型系统。 Apache Tomcat 7.0.25版本至7.0.88版本、8.5.0版本至8.5.31版本和9.0.0.M1版本和9.0.9版本中存在安全绕过漏洞,该漏洞源于程序没有验证主机名称。远程攻击者可利用该漏洞绕过安全限制,执行未授权的操作。
英文描述:
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
CWE类型:
CWE-295
标签:
(暂无数据)
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| Apache Software Foundation | Apache Tomcat | 9.0.0.M1 to 9.0.9 | - | - |
cpe:2.3:a:apache_software_foundation:apache_tomcat:9.0.0.m1_to_9.0.9:*:*:*:*:*:*:*
|
| Apache Software Foundation | Apache Tomcat | 8.5.0 to 8.5.31 | - | - |
cpe:2.3:a:apache_software_foundation:apache_tomcat:8.5.0_to_8.5.31:*:*:*:*:*:*:*
|
| Apache Software Foundation | Apache Tomcat | 8.0.0.RC1 to 8.0.52 | - | - |
cpe:2.3:a:apache_software_foundation:apache_tomcat:8.0.0.rc1_to_8.0.52:*:*:*:*:*:*:*
|
| Apache Software Foundation | Apache Tomcat | 7.0.35 to 7.0.88 | - | - |
cpe:2.3:a:apache_software_foundation:apache_tomcat:7.0.35_to_7.0.88:*:*:*:*:*:*:*
|
| apache | tomcat | * | - | - |
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
|
| apache | tomcat | 8.0.0 | - | - |
cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*
|
| apache | tomcat | 9.0.0 | - | - |
cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*
|
| canonical | ubuntu_linux | 14.04 | - | - |
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
|
| canonical | ubuntu_linux | 16.04 | - | - |
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
|
| debian | debian_linux | 8.0 | - | - |
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
|
| debian | debian_linux | 9.0 | - | - |
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
|
| oracle | retail_order_broker | 5.1 | - | - |
cpe:2.3:a:oracle:retail_order_broker:5.1:*:*:*:*:*:*:*
|
| oracle | retail_order_broker | 5.2 | - | - |
cpe:2.3:a:oracle:retail_order_broker:5.2:*:*:*:*:*:*:*
|
| oracle | retail_order_broker | 15.0 | - | - |
cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
USN-3723-1
vendor-advisory
cve.org
访问
cve.org
[www-announce] 20180722 [SECURITY] CVE-2018-8034 Apache Tomcat - Security Constraint Bypass
mailing-list
cve.org
访问
cve.org
RHSA-2019:0451
vendor-advisory
cve.org
访问
cve.org
[debian-lts-announce] 20180730 [SECURITY] [DLA 1453-1] tomcat7 security update
mailing-list
cve.org
访问
cve.org
DSA-4281
vendor-advisory
cve.org
访问
cve.org
1041374
vdb-entry
cve.org
访问
cve.org
无标题
x_refsource_CONFIRM
cve.org
访问
cve.org
RHSA-2019:0131
vendor-advisory
cve.org
访问
cve.org
无标题
x_refsource_CONFIRM
cve.org
访问
cve.org
RHSA-2019:0130
vendor-advisory
cve.org
访问
cve.org
RHSA-2019:0450
vendor-advisory
cve.org
访问
cve.org
[debian-lts-announce] 20180902 [SECURITY] [DLA 1491-1] tomcat8 security update
mailing-list
cve.org
访问
cve.org
104895
vdb-entry
cve.org
访问
cve.org
[tomcat-dev] 20190319 svn commit: r1855831 [24/30] - in /tomcat/site/trunk: ./ docs/ xdocs/
mailing-list
cve.org
访问
cve.org
[tomcat-dev] 20190319 svn commit: r1855831 [25/30] - in /tomcat/site/trunk: ./ docs/ xdocs/
mailing-list
cve.org
访问
cve.org
[tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
mailing-list
cve.org
访问
cve.org
[tomcat-dev] 20190325 svn commit: r1856174 [23/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
mailing-list
cve.org
访问
cve.org
[tomcat-dev] 20190325 svn commit: r1856174 [24/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
mailing-list
cve.org
访问
cve.org
[tomcat-dev] 20190413 svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/
mailing-list
cve.org
访问
cve.org
[tomcat-dev] 20190413 svn commit: r1857496 [3/4] - in /tomcat/site/trunk: ./ docs/ xdocs/
mailing-list
cve.org
访问
cve.org
[tomcat-dev] 20190413 svn commit: r1857494 [16/20] - in /tomcat/site/trunk: ./ docs/ xdocs/
mailing-list
cve.org
访问
cve.org
[tomcat-dev] 20190415 svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/
mailing-list
cve.org
访问
cve.org
[tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/
mailing-list
cve.org
访问
cve.org
[tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/
mailing-list
cve.org
访问
cve.org
无标题
x_refsource_MISC
cve.org
访问
cve.org
RHSA-2019:1160
vendor-advisory
cve.org
访问
cve.org
RHSA-2019:1162
vendor-advisory
cve.org
访问
cve.org
RHSA-2019:1159
vendor-advisory
cve.org
访问
cve.org
RHSA-2019:1161
vendor-advisory
cve.org
访问
cve.org
RHSA-2019:1529
vendor-advisory
cve.org
访问
cve.org
无标题
x_refsource_MISC
cve.org
访问
cve.org
[activemq-issues] 20190723 [jira] [Created] (AMQ-7249) Security Vulnerabilities in the ActiveMQ dependent jars.
mailing-list
cve.org
访问
cve.org
RHSA-2019:2205
vendor-advisory
cve.org
访问
cve.org
无标题
x_refsource_MISC
cve.org
访问
cve.org
RHSA-2019:3892
vendor-advisory
cve.org
访问
cve.org
[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/
mailing-list
cve.org
访问
cve.org
[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/
mailing-list
cve.org
访问
cve.org
[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/
mailing-list
cve.org
访问
cve.org
[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/
mailing-list
cve.org
访问
cve.org
[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/
mailing-list
cve.org
访问
cve.org
无标题
x_refsource_MISC
cve.org
访问
cve.org
CVSS评分详情
3.1 (adp)
HIGH
7.5
CVSS向量:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
机密性
HIGH
完整性
NONE
可用性
NONE
时间信息
发布时间:
2018-08-01 18:00:00
修改时间:
2024-10-21 16:09:49
创建时间:
2025-11-11 15:35:22
更新时间:
2025-11-11 15:53:50
利用信息
暂无可利用代码信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2018-8034 |
2025-11-11 15:19:54 | 2025-11-11 07:35:22 |
| NVD | nvd_CVE-2018-8034 |
2025-11-11 14:55:57 | 2025-11-11 07:43:56 |
| CNNVD | cnnvd_CNNVD-201807-1992 |
2025-11-11 15:10:04 | 2025-11-11 07:53:50 |
版本与语言
当前版本:
v3
主要语言:
EN
支持语言:
EN
ZH
安全公告
暂无安全公告信息
变更历史
v3
CNNVD
2025-11-11 15:53:50
vulnerability_type: 未提取 → 信任管理问题; cnnvd_id: 未提取 → CNNVD-201807-1992; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']
查看详细变更
- vulnerability_type: 未提取 -> 信任管理问题
- cnnvd_id: 未提取 -> CNNVD-201807-1992
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
v2
NVD
2025-11-11 15:43:56
affected_products_count: 4 → 14; data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
- affected_products_count: 4 -> 14
- data_sources: ['cve'] -> ['cve', 'nvd']