CVE-2018-8020 in Apache and Debian Products
Published on July 31, 2018
Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 has a flaw that does not properly check OCSP pre-produced responses, which are lists (multiple entries) of certificate statuses. Subsequently, revoked client certificates may not be properly identified, allowing for users to authenticate with revoked certificates to connections that require mutual TLS. Users not using OCSP checks are not affected by this vulnerability.
Products Associated with CVE-2018-8020
stack.watch emails you whenever new vulnerabilities are published in Apache Tomcat Native or Debian Linux. Just hit a watch button to start following.
Affected Versions
Apache Software Foundation Apache Tomcat Native:- Version 1.2.0 to 1.2.16 is affected.
- Version 1.1.23 to 1.1.34 is affected.
Exploit Probability
EPSS
1.50%
Percentile
80.92%
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.