CVE-2014-0230

high

Description

Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.

References

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E

https://issues.jboss.org/browse/JWS-220

https://issues.jboss.org/browse/JWS-219

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964

https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013

https://access.redhat.com/errata/RHSA-2015:2660

https://access.redhat.com/errata/RHSA-2015:2659

http://www.ubuntu.com/usn/USN-2655-1

http://www.ubuntu.com/usn/USN-2654-1

http://www.securityfocus.com/bid/74475

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.debian.org/security/2016/dsa-3530

http://www.debian.org/security/2016/dsa-3447

http://tomcat.apache.org/security-8.html

http://tomcat.apache.org/security-7.html

http://tomcat.apache.org/security-6.html

http://svn.apache.org/viewvc?view=revision&revision=1603779

http://svn.apache.org/viewvc?view=revision&revision=1603775

http://svn.apache.org/viewvc?view=revision&revision=1603770

http://rhn.redhat.com/errata/RHSA-2016-0599.html

http://rhn.redhat.com/errata/RHSA-2016-0598.html

http://rhn.redhat.com/errata/RHSA-2016-0597.html

http://rhn.redhat.com/errata/RHSA-2016-0596.html

http://rhn.redhat.com/errata/RHSA-2016-0595.html

http://rhn.redhat.com/errata/RHSA-2015-2661.html

http://rhn.redhat.com/errata/RHSA-2015-1622.html

http://rhn.redhat.com/errata/RHSA-2015-1621.html

http://openwall.com/lists/oss-security/2015/04/10/1

http://marc.info/?l=bugtraq&m=145974991225029&w=2

http://marc.info/?l=bugtraq&m=144498216801440&w=2

http://mail-archives.apache.org/mod_mbox/tomcat-announce/201505.mbox/%3C554949D1.8030904%40apache.org%3E

Details

Source: Mitre, NVD

Published: 2015-06-07

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High