CVE-2018-8019

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2018-8019
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-8019.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2018-8019
Downstream
Related
Published
2018-07-31T13:29:00.797Z
Modified
2026-03-20T11:26:29.312481Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates when using mutual TLS. Users not using OCSP checks are not affected by this vulnerability.

References

Affected packages

Git / github.com/apache/tomcat-native

Affected ranges

Type
GIT
Repo
https://github.com/apache/tomcat-native
Events
Introduced
71090a48b31816e3d5a0646be5c3e7b2b533bf07
Last affected
b78d639697912862696e13c2ee17480766421e29
Introduced
7ad1dc6624569d88278ed12fd593ad78b6ec4930
Last affected
4ba17069969930029bbf52fef12a9bf9fbad4d38
Database specific 
{
    "versions": [
        {
            "introduced": "1.1.23"
        },
        {
            "last_affected": "1.1.34"
        },
        {
            "introduced": "1.2.0"
        },
        {
            "last_affected": "1.2.16"
        }
    ]
}

Database specific

unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.0"
            }
        ]
    }
]
source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-8019.json"