DEBIAN-CVE-2018-8020

DEBIAN-CVE-2018-8020 PUBLISHED CVSS 7.400000095367432 HIGH

Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 has a flaw that does not properly check OCSP pre-produced responses, which are lists (multiple entries) of certificate statuses. Subsequently, revoked client certificates may not be properly identified, allowing for users to authenticate with revoked certificates to connections that require mutual TLS. Users not using OCSP checks are not affected by this vulnerability.

Risk Scores

CVSS v3.0

7.400000095367432

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Products

Vendor	Product	Versions
Debian:13	tomcat-native	0, 0, 0
Debian:14	tomcat-native	0, 0, 0
Debian:12	tomcat-native	0, 0, 0
Debian:11	tomcat-native	0, 0, 0

Timeline

Jul 31, 2018 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2018-8020 advisory

Open in Interactive Console →