Lucene search

GitHub Advisory DatabaseGHSA-42J3-498Q-M6VP

HistoryMay 14, 2022 - 1:10 a.m.

Improper Input Validation in Apache Tomcat

2022-05-1401:10:18

CWE-20

GitHub Advisory Database

github.com

improper input validation

apache tomcat

http request smuggling

denial of service

chunked transfer coding

vulnerability

security

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

AI Score

6.5

Confidence

Low

EPSS

0.948

Percentile

99.3%

JSON

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding.

Affected configurations

Vulners

Node

org.apache.tomcattomcatRange8.0.0–8.0.9

org.apache.tomcattomcatRange7.0.0–7.0.55

org.apache.tomcattomcatRange6.0.0–6.0.42

VendorProductVersionCPE
org.apache.tomcattomcat*cpe:2.3:a:org.apache.tomcat:tomcat:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.apache.tomcat	tomcat	*	cpe:2.3:a:org.apache.tomcat:tomcat::::::::

References

advisories.mageia.org/MGASA-2015-0081.html

archives.neohapsis.com/archives/bugtraq/2015-02/0067.html

lists.fedoraproject.org/pipermail/package-announce/2015-February/150282.html

marc.info/?l=bugtraq&m=143393515412274&w=2

marc.info/?l=bugtraq&m=143403519711434&w=2

rhn.redhat.com/errata/RHSA-2015-0675.html

rhn.redhat.com/errata/RHSA-2015-0720.html

rhn.redhat.com/errata/RHSA-2015-0765.html

rhn.redhat.com/errata/RHSA-2015-0983.html

rhn.redhat.com/errata/RHSA-2015-0991.html

svn.apache.org/viewvc?view=revision&revision=1600984

tomcat.apache.org/security-6.html

tomcat.apache.org/security-7.html

tomcat.apache.org/security-8.html

www.debian.org/security/2016/dsa-3447

www.debian.org/security/2016/dsa-3530

www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html

www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

www.ubuntu.com/usn/USN-2654-1

www.ubuntu.com/usn/USN-2655-1

bugzilla.redhat.com/show_bug.cgi?id=1109196

github.com/advisories/GHSA-42j3-498q-m6vp

github.com/apache/tomcat/commit/593a2447e6ebe465585cfa07e93b5635dffa1c70

lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E

nvd.nist.gov/vuln/detail/CVE-2014-0227

source.jboss.org/changelog/JBossWeb?cs=2455

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

AI Score

6.5

Confidence

Low

EPSS

0.948

Percentile

99.3%

JSON

Related for GHSA-42J3-498Q-M6VP