CVE-2018-8019

Source
https://nvd.nist.gov/vuln/detail/CVE-2018-8019
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-8019.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-8019
Related
Published
2018-07-31T13:29:00Z
Modified
2024-09-11T02:00:06Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates when using mutual TLS. Users not using OCSP checks are not affected by this vulnerability.

References

Affected packages

Debian:11 / tomcat-native

Package

Name
tomcat-native
Purl
pkg:deb/debian/tomcat-native?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.17-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / tomcat-native

Package

Name
tomcat-native
Purl
pkg:deb/debian/tomcat-native?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.17-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / tomcat-native

Package

Name
tomcat-native
Purl
pkg:deb/debian/tomcat-native?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.17-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}