{"api_version":"1","generated_at":"2026-05-13T11:01:03+00:00","cve":"CVE-2018-8019","urls":{"html":"https://cve.report/CVE-2018-8019","api":"https://cve.report/api/cve/CVE-2018-8019.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-8019","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-8019"},"summary":{"title":"CVE-2018-8019","description":"When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates when using mutual TLS. Users not using OCSP checks are not affected by this vulnerability.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2018-07-31 13:29:00","updated_at":"2023-11-07 03:01:00"},"problem_types":["CWE-295"],"metrics":[],"references":[{"url":"http://www.securityfocus.com/bid/104936","name":"104936","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Apache Tomcat Native Connector CVE-2018-8019 Remote Security Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2%40%3Cdev.tomcat.apache.org%3E","name":"[tomcat-dev] 20190325 svn commit: r1856174 [26/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/","refsource":"","tags":[],"title":"Apache Mail Archives","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://mail-archives.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180721095943.GA24320%40minotaur.apache.org%3E","name":"[www-announce] 20180721 [SECURITY] CVE-2018-8019 Apache Tomcat Native Connector - Mishandled OCSP invalid response","refsource":"MLIST","tags":["Mitigation","Vendor Advisory"],"title":"[SECURITY] CVE-2018-8019 Apache Tomcat Native Connector - Mishandled OCSP invalid response","mime":"text/xml","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2018/08/msg00023.html","name":"[debian-lts-announce] 20180822 [SECURITY] [DLA 1475-1] tomcat-native security update","refsource":"MLIST","tags":["Third Party Advisory"],"title":"[SECURITY] [DLA 1475-1] tomcat-native security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2018:2469","name":"RHSA-2018:2469","refsource":"REDHAT","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d@%3Cdev.tomcat.apache.org%3E","name":"[tomcat-dev] 20190319 svn commit: r1855831 [26/30] - in /tomcat/site/trunk: ./ docs/ xdocs/","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"Apache Mail Archives","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d@%3Cdev.tomcat.apache.org%3E","name":"[tomcat-dev] 20200203 svn commit: r1873527 [26/30] - /tomcat/site/trunk/docs/","refsource":"MLIST","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220@%3Cdev.tomcat.apache.org%3E","name":"[tomcat-dev] 20200213 svn commit: r1873980 [31/34] - /tomcat/site/trunk/docs/","refsource":"MLIST","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E","name":"[tomcat-dev] 20200203 svn commit: r1873527 [26/30] - /tomcat/site/trunk/docs/","refsource":"","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id/1041507","name":"1041507","refsource":"SECTRACK","tags":["Third Party Advisory","VDB Entry"],"title":"Apache Tomcat Native OCSP Response Handling Flaws Let Remote Users Bypass Authentication on the Target System - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E","name":"[tomcat-dev] 20190319 svn commit: r1855831 [26/30] - in /tomcat/site/trunk: ./ docs/ xdocs/","refsource":"","tags":[],"title":"Apache Mail Archives","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220%40%3Cdev.tomcat.apache.org%3E","name":"[tomcat-dev] 20200213 svn commit: r1873980 [31/34] - /tomcat/site/trunk/docs/","refsource":"","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2@%3Cdev.tomcat.apache.org%3E","name":"[tomcat-dev] 20190325 svn commit: r1856174 [26/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"Apache Mail Archives","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2018:2470","name":"RHSA-2018:2470","refsource":"REDHAT","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-8019","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-8019","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"8019","vulnerable":"1","versionEndIncluding":"1.1.34","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"tomcat_native","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"8019","vulnerable":"1","versionEndIncluding":"1.2.16","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"tomcat_native","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"8019","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"8019","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@apache.org","DATE_PUBLIC":"2018-07-31T00:00:00","ID":"CVE-2018-8019","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Apache Tomcat Native","version":{"version_data":[{"version_value":"1.2.0 to 1.2.16"},{"version_value":"1.1.23 to 1.1.34"}]}}]},"vendor_name":"Apache Software Foundation"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates when using mutual TLS. Users not using OCSP checks are not affected by this vulnerability."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Security Constraint Bypass"}]}]},"references":{"reference_data":[{"name":"[www-announce] 20180721 [SECURITY] CVE-2018-8019 Apache Tomcat Native Connector - Mishandled OCSP invalid response","refsource":"MLIST","url":"http://mail-archives.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180721095943.GA24320%40minotaur.apache.org%3E"},{"name":"104936","refsource":"BID","url":"http://www.securityfocus.com/bid/104936"},{"name":"RHSA-2018:2469","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2018:2469"},{"name":"[debian-lts-announce] 20180822 [SECURITY] [DLA 1475-1] tomcat-native security update","refsource":"MLIST","url":"https://lists.debian.org/debian-lts-announce/2018/08/msg00023.html"},{"name":"RHSA-2018:2470","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2018:2470"},{"name":"1041507","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1041507"},{"refsource":"MLIST","name":"[tomcat-dev] 20190319 svn commit: r1855831 [26/30] - in /tomcat/site/trunk: ./ docs/ xdocs/","url":"https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d@%3Cdev.tomcat.apache.org%3E"},{"refsource":"MLIST","name":"[tomcat-dev] 20190325 svn commit: r1856174 [26/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/","url":"https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2@%3Cdev.tomcat.apache.org%3E"},{"refsource":"MLIST","name":"[tomcat-dev] 20200203 svn commit: r1873527 [26/30] - /tomcat/site/trunk/docs/","url":"https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d@%3Cdev.tomcat.apache.org%3E"},{"refsource":"MLIST","name":"[tomcat-dev] 20200213 svn commit: r1873980 [31/34] - /tomcat/site/trunk/docs/","url":"https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220@%3Cdev.tomcat.apache.org%3E"}]}},"nvd":{"publishedDate":"2018-07-31 13:29:00","lastModifiedDate":"2023-11-07 03:01:00","problem_types":["CWE-295"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.4,"baseSeverity":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.2},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:tomcat_native:*:*:*:*:*:*:*:*","versionStartIncluding":"1.1.23","versionEndIncluding":"1.1.34","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:tomcat_native:*:*:*:*:*:*:*:*","versionStartIncluding":"1.2.0","versionEndIncluding":"1.2.16","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"8019","Ordinal":"124336","Title":"CVE-2018-8019","CVE":"CVE-2018-8019","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"8019","Ordinal":"1","NoteData":"When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates when using mutual TLS. Users not using OCSP checks are not affected by this vulnerability.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"8019","Ordinal":"2","NoteData":"2018-07-31","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"8019","Ordinal":"3","NoteData":"2020-02-13","Type":"Other","Title":"Modified"}]}}}