Thank you Chris for the answer. The EOL date and its policy made me wonder if the CVE was tested it against that version.
Is there any place I can get a POC version of the CVE test case so that I can do the test myself against version 8.0.53? On Tue, Oct 1, 2019 at 12:43 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Martin, > > On 10/1/19 10:35, Martin Cocaro wrote: > > Apache Tomcat Users Team, > > > > The purpose of this email is to request information regarding > > Apache Tomcat CVE-2018-8037 > > <https://www.securityfocus.com/bid/104894/info> possibly affecting > > version 8.0.X (particularly 8.0.53). The CVE was made public on > > 22-July-2018, after being privately disclosed on 16-Jun-2018. The > > EOL date of Tomcat 8.0.X was 30-Jun-2018. > > > > Reaching out to you to get confirmation on whether the CVE is > > confirmed to not affect the version 8.0.X or if the CVE was not > > tested against such version at all as its EOL date preceded the > > public disclosure. > > > > Your help on this matter would be greatly appreciated. > > That source you are reading (securityfocus) lists all of the > vulnerable versions. If you look at the Mitre report, you'll see the > same thing, except that they provide a *range* of versions instead of > just the individual ones affected. > > No Tomcat 8.0.x versions appear in the list. > > I haven't personally tested Tomcat 8.0.x against any proof-of-concept > code, but I do not believe it if/was vulnerable to this CVE. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2TdBoACgkQHPApP6U8 > pFgGRBAAnQ9R4NpHSQUQ+/rfo6Vlf9kJTF9QgnxzrYavUBfFgg97SbfttLYsaN63 > +MzyciyLRepi1iESqllHi16R8Yn9JhRZzkhqSue3t7IkybkcKlOJDJXjptqJn6cb > Hp9CooAUlU1xt1zfA6w+r3/loXYuj+C1153dw9OqC725N0LsDxG6xvPD5tWhBwP7 > 3eOMCVzZq/ikVuXeALauhQFnOKywLfOQZWwktHEsX2gmXy9oV+tMwAoljjTqp7JR > atbUg4EuWpoV6pPTTKSmAEfLXvYcyBY9pcsgEaJJHhdgBqdppi9MP/vqHlXPuMXr > Ps2tkTQJ3NC3UZMKe0MHy6TzbsFzDIVdfRL8kJ6lMSQzufYQF4pHsJyBF8cbZjAT > LUT5YffGRMLc5F5oZd5KagVNfL6OZqX3GxaJ9lum9tOTLvlyO4F6ekfhX/mXjhzN > w62cJrdIy6ZjVlGsGaQYizotbkIAiw2VkvOC8OZgd61qZPmGg74uiPTwuY67bCPH > BjFgXqmQiOILkIGRZVyoevn7wZ4oGixp1GU5O3k1mCI2pnpyKN2M36RvHkgWtewc > +8TGMEUxRIV4kiJg8Q5v6OCK3puZI7ujCn2eKpbHls8tBMNvsmd5ql8dxzPF+zNb > H8+xADEJhD+zNtqQBhWFMGnU3tMtqttZMk7chKMv7gWG0sK5v5w= > =mT+v > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >