CVE-2018-8034

Name: CVE-2018-8034
Creator: NVD / NIST
Published: 2018-08-01T18:29:00.313+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 21.30%

Last modified Jun 17, 2026

CVE-2018-8034 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. EPSS estimates a 21.30% chance of exploitation in the next 30 days.

Description

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

21.30%

97.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions	Update
Apache	Tomcat	>= 7.0.35, <= 7.0.88	—
Apache	Tomcat	>= 8.0.0, <= 8.0.52	—
Apache	Tomcat	>= 8.5.0, <= 8.5.31	—
Apache	Tomcat	>= 9.0.1, <= 9.0.9	—
Apache	Tomcat	8.0.0	Rc1
Apache	Tomcat	9.0.0	Milestone1
Canonical	Ubuntu Linux	14.04	—
Canonical	Ubuntu Linux	16.04	—
Debian	Debian Linux	8.0	—
Debian	Debian Linux	9.0	—
Oracle	Retail Order Broker	5.1	—
Oracle	Retail Order Broker	5.2	—
Oracle	Retail Order Broker	15.0	—

References

Timeline

Published: Aug 1, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2018-8034?

How severe is CVE-2018-8034?

CVE-2018-8034 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 21.30% probability of exploitation in the next 30 days.

How do I fix CVE-2018-8034?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-8034?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST