Base Score

HIGH7.5

CVE-2018-1336

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

VectorNETWORK

Published Bysecurity@apache.org

Published DateAug 02, 2018, 14:29

Affected Versions(4)

org.apache.tomcat.embed:tomcat-embed-core(Maven)

Introduced9.0.0.M9

Fixed9.0.8

LimitN/A

org.apache.tomcat.embed:tomcat-embed-core(Maven)

Introduced8.5.0

Fixed8.5.31

LimitN/A

org.apache.tomcat.embed:tomcat-embed-core(Maven)

Introduced8.0.0RC1

Fixed8.0.51

LimitN/A

org.apache.tomcat.embed:tomcat-embed-core(Maven)

Introduced7.0.28

Fixed7.0.87

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.apache.tomcat.embed:tomcat-embed-core(Maven)	9.0.0.M9	9.0.8	N/A
org.apache.tomcat.embed:tomcat-embed-core(Maven)	8.5.0	8.5.31	N/A
org.apache.tomcat.embed:tomcat-embed-core(Maven)	8.0.0RC1	8.0.51	N/A
org.apache.tomcat.embed:tomcat-embed-core(Maven)	7.0.28	7.0.87	N/A

Weakness Type (CWE):CWE-835

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

HIGH

References

Base Score

HIGH7.5

Weakness Type (CWE):CWE-835

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

HIGH