CVE-2018-8019

HIGH

Apache Tomcat Native 1.2.0-1.2.16, 1.1.23-1.1.34 - Info Disclosure

Title source: llm
STIX 2.1

Description

When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates when using mutual TLS. Users not using OCSP checks are not affected by this vulnerability.

References (10)

Core 10
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/104936
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2469
Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/08/msg00023.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2470
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1041507

Scores

CVSS v3 7.4
EPSS 0.0085
EPSS Percentile 75.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE
CWE-295
Status published
Products (2)
apache/tomcat_native 1.1.23 - 1.1.34
debian/debian_linux 8.0
Published Jul 31, 2018
Tracked Since Feb 18, 2026