CVE-2013-4322 – tomcat: incomplete fix for CVE-2012-3544
https://notcve.org/view.php?id=CVE-2013-4322
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544. Apache Tomcat anterior a 6.0.39, 7.x anterior a 7.0.50 y 8.x anterior a 8.0.0-RC10 procesa codificación de transferencia fragmentada sin manejar debidamente (1) una gran cantidad total de datos fragmentados o (2) caracteres de espacio en blanco en un valor de cabecera HTTP dentro de un campo "trailer", lo que permite a atacantes remotos causar una denegación de servicio por transmisión de datos. NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2012-3544. It was discovered that the fix for CVE-2012-3544 did not properly resolve a denial of service flaw in the way Tomcat and JBoss Web processed chunk extensions and trailing headers in chunked requests. • http://advisories.mageia.org/MGASA-2014-0148.html http://marc.info/?l=bugtraq&m=144498216801440&w=2 http://seclists.org/fulldisclosure/2014/Dec/23 http://secunia.com/advisories/59036 http://secunia.com/advisories/59675 http://secunia.com/advisories/59722 http://secunia.com/advisories/59724 http://secunia.com/advisories/59873 http://svn.apache.org/viewvc?view=revision&revision=1521834 http://svn.apache.org/viewvc?view=revision&revision=1521864 http://svn.apache.org/viewvc?vie • CWE-20: Improper Input Validation •
CVE-2013-4286 – tomcat: multiple content-length header poisoning flaws
https://notcve.org/view.php?id=CVE-2013-4286
Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090. Apache Tomcat anterior a 6.0.39, 7.x anterior a 7.0.47 y 8.x anterior a 8.0.0-RC3, cuando se utiliza un conector HTTP o AJP, no maneja debidamente ciertas cabeceras de solicitud HTTP inconsistentes, lo que permite a atacantes remotos provocar una identificación incorrecta de la longitud de una solicitud y realizar ataques request-smuggling a través de (1) múltiples cabeceras de Content-Length o (2) una cabecera de Content-Length y una cabecera de "Transfer-Encoding: chunked". NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2005-2090. It was found that when Tomcat / JBoss Web processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat / JBoss Web would incorrectly handle the request. • http://advisories.mageia.org/MGASA-2014-0148.html http://marc.info/?l=bugtraq&m=141390017113542&w=2 http://marc.info/?l=bugtraq&m=144498216801440&w=2 http://rhn.redhat.com/errata/RHSA-2014-0343.html http://rhn.redhat.com/errata/RHSA-2014-0344.html http://rhn.redhat.com/errata/RHSA-2014-0345.html http://seclists.org/fulldisclosure/2014/Dec/23 http://secunia.com/advisories/57675 http://secunia.com/advisories/59036 http://secunia.com/advisories/59675 http:// • CWE-20: Improper Input Validation •
CVE-2014-0050 – Apache Commons FileUpload and Apache Tomcat - Denial of Service
https://notcve.org/view.php?id=CVE-2014-0050
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions. MultipartStream.java en Apache Commons FileUpload anterior a 1.3.1, utilizado en Apache Tomcat, JBoss Web y otros productos, permite a atacantes remotos causar una denegación de servicio (bucle infinito y consumo de CPU) a través de una cabecera Content-Type manipulada que evade las condiciones de salida del bucle. A denial of service flaw was found in the way Apache Commons FileUpload, which is embedded in Tomcat and JBoss Web, handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing Tomcat to enter an infinite loop when processing such an incoming request. • https://www.exploit-db.com/exploits/31615 http://advisories.mageia.org/MGASA-2014-0110.html http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html http://jvn.jp/en/jp/JVN14876762/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2014-000017 http://mail-archives.apache.org/mod_mbox/commons-dev/201402.mbox/%3C52F373FC.9030907%40apache.org%3E http://marc.info/?l=bugtraq&m=143136844732487&w=2 http://packetstormsecurity.com/files/127215/VMware& • CWE-264: Permissions, Privileges, and Access Controls •