CVE-2014-0227

Sažetak

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding.

Reference

http://tomcat.apache.org/security-7.html
https://bugzilla.redhat.com/show_bug.cgi?id=1109196
http://archives.neohapsis.com/archives/bugtraq/2015-02/0067.html
https://source.jboss.org/changelog/JBossWeb?cs=2455
http://tomcat.apache.org/security-6.html
http://svn.apache.org/viewvc?view=revision&revision=1600984
http://tomcat.apache.org/security-8.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150282.html
http://rhn.redhat.com/errata/RHSA-2015-0675.html
http://www.securityfocus.com/bid/72717
http://www.mandriva.com/security/advisories?name=MDVSA-2015:052
http://advisories.mageia.org/MGASA-2015-0081.html
http://www.mandriva.com/security/advisories?name=MDVSA-2015:053
http://rhn.redhat.com/errata/RHSA-2015-0720.html
http://www.mandriva.com/security/advisories?name=MDVSA-2015:084
http://rhn.redhat.com/errata/RHSA-2015-0765.html
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
http://www.debian.org/security/2016/dsa-3530
http://marc.info/?l=bugtraq&m=143403519711434&w=2
http://marc.info/?l=bugtraq&m=143393515412274&w=2
http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.debian.org/security/2016/dsa-3447
http://www.ubuntu.com/usn/USN-2655-1
http://rhn.redhat.com/errata/RHSA-2015-0991.html
http://rhn.redhat.com/errata/RHSA-2015-0983.html
http://www.securitytracker.com/id/1032791
http://www.ubuntu.com/usn/USN-2654-1
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E

CVSS

Base:	6.4
Impact:	4.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:N/I:P/A:P

Zadnje važnije ažuriranje

07-11-2023 - 02:18

Objavljeno

16-02-2015 - 00:59