QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2018-8020

Back to search

CVE-2018-8020

Published: Jul 31, 2018

Modified: Sep 17, 2024

PUBLISHED

Description

Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 has a flaw that does not properly check OCSP pre-produced responses, which are lists (multiple entries) of certificate statuses. Subsequently, revoked client certificates may not be properly identified, allowing for users to authenticate with revoked certificates to connections that require mutual TLS. Users not using OCSP checks are not affected by this vulnerability.

VendorProductVersions

Apache Software Foundation

Apache Tomcat Native

affected
1.2.0 to 1.2.16
affected
1.1.23 to 1.1.34

References

RHSA-2018:2469
vendor-advisory
x_refsource_REDHAT
104934
vdb-entry
x_refsource_BID
RHSA-2018:2470
vendor-advisory
x_refsource_REDHAT
1041507
vdb-entry
x_refsource_SECTRACK

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now