GitHub Advisory DatabaseGHSA-PXCX-CXQ8-4MMWUncontrolled Resource Consumption in Apache Tomcat
7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.073 Low
EPSS
Percentile
94.1%
Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.apache.tomcat:tomcat | lt | 8.0.9 | |
| org.apache.tomcat:tomcat | lt | 7.0.55 | |
| org.apache.tomcat:tomcat | lt | 6.0.44 |
References
mail-archives.apache.org/mod_mbox/tomcat-announce/201505.mbox/%3C554949D1.8030904%40apache.org%3E
marc.info/?l=bugtraq&m=144498216801440&w=2
marc.info/?l=bugtraq&m=145974991225029&w=2
openwall.com/lists/oss-security/2015/04/10/1
rhn.redhat.com/errata/RHSA-2015-1622.html
rhn.redhat.com/errata/RHSA-2016-0595.html
rhn.redhat.com/errata/RHSA-2016-0596.html
rhn.redhat.com/errata/RHSA-2016-0597.html
rhn.redhat.com/errata/RHSA-2016-0598.html
svn.apache.org/viewvc?view=revision&revision=1603770
svn.apache.org/viewvc?view=revision&revision=1603775
svn.apache.org/viewvc?view=revision&revision=1603779
tomcat.apache.org/security-6.html
tomcat.apache.org/security-7.html
tomcat.apache.org/security-8.html
www.debian.org/security/2016/dsa-3447
www.debian.org/security/2016/dsa-3530
www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
www.ubuntu.com/usn/USN-2654-1
www.ubuntu.com/usn/USN-2655-1
access.redhat.com/errata/RHSA-2015:2659
access.redhat.com/errata/RHSA-2015:2660
github.com/advisories/GHSA-pxcx-cxq8-4mmw
github.com/apache/tomcat/commit/6b2cfacf749be186ea77249a979af1d4863e47ba
github.com/apache/tomcat/commit/812088583d0e60717a8fe9c6d14e12bcdc3e6c51
github.com/apache/tomcat/commit/b1c8477e3e3ee635d19cc4d5987c2b157431e0c1
github.com/apache/tomcat/commit/c1357e649641844109711d60cacb98e4b5fcd3cb
github.com/apache/tomcat/commit/e28dd578fad90a6d5726ec34f3245c9f99d909a5
github.com/apache/tomcat/commit/e3146f4b03a2386c3e57597e86134d4ed5c31303
github.com/apache/tomcat/commit/fc049912464f0dcf9dede3761f38049369057e16
github.com/apache/tomcat/commit/fdd9f11dc24b95e5425076abb58e968336f320a2
h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013
h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964
issues.jboss.org/browse/JWS-219
issues.jboss.org/browse/JWS-220
lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2014-0230
Related
7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.073 Low
EPSS
Percentile
94.1%