Apache Tomcat through versions 7.0.88, 8.0.52, 8.5.31 and 9.0.8 have defaults settings for the CORS filter that are insecure and enable 'supportsCredentials' for all origins. Upstream announcement: https://lists.apache.org/thread.html/fbfb713e4f8a4c0f81089b89450828011343593800cae3fb629192b1@%3Cannounce.tomcat.apache.org%3E Upstream bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=62343 Upstream Patches: http://svn.apache.org/viewvc?view=rev&rev=1831726 / trunk/9.0 http://svn.apache.org/viewvc?view=rev&rev=1831728 / 8.5 http://svn.apache.org/viewvc?view=rev&rev=1831729 / 8.0 http://svn.apache.org/viewvc?view=rev&rev=1831730 / 7.0 External References: http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.9 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.32 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.53 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.89
Created tomcat tracking bugs for this issue: Affects: epel-all [bug 1579613] Affects: fedora-all [bug 1579612]
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2018:2470 https://access.redhat.com/errata/RHSA-2018:2470
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2018:2469 https://access.redhat.com/errata/RHSA-2018:2469
This issue has been addressed in the following products: Red Hat Fuse 7.2 Via RHSA-2018:3768 https://access.redhat.com/errata/RHSA-2018:3768
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2019:0450 https://access.redhat.com/errata/RHSA-2019:0450
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.0 on RHEL 6 Red Hat JBoss Web Server 5.0 on RHEL 7 Via RHSA-2019:0451 https://access.redhat.com/errata/RHSA-2019:0451
This vulnerability is out of security support scope for the following product: * Red Hat Enterprise Application Platform 5 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1529 https://access.redhat.com/errata/RHSA-2019:1529
Mitigation: When using the CORS filter, it is recommended to configure it explicitly for your environment. In particular, the combination of `cors.allowed.origins = *` and `cors.support.credentials = True` should be avoided as this can leave your application vulnerable to cross-site scripting (XSS). For details on configuring CORS filter, please refer to https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2205 https://access.redhat.com/errata/RHSA-2019:2205