GitHub Advisory DatabaseGHSA-XH5X-J8JF-PCPXImproper Neutralization of CRLF Sequences in HTTP Headers in Apache Tomcat
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.005 Low
EPSS
Percentile
75.6%
Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.apache.tomcat:tomcat | lt | 8.0.6 | |
| org.apache.tomcat:tomcat | lt | 7.0.54 | |
| org.apache.tomcat:tomcat | lt | 6.0.40 |
References
advisories.mageia.org/MGASA-2014-0268.html
linux.oracle.com/errata/ELSA-2014-0865.html
lists.fedoraproject.org/pipermail/package-announce/2015-February/150282.html
marc.info/?l=bugtraq&m=141017844705317&w=2
marc.info/?l=bugtraq&m=141390017113542&w=2
marc.info/?l=bugtraq&m=144498216801440&w=2
rhn.redhat.com/errata/RHSA-2015-0675.html
rhn.redhat.com/errata/RHSA-2015-0720.html
rhn.redhat.com/errata/RHSA-2015-0765.html
seclists.org/fulldisclosure/2014/Dec/23
seclists.org/fulldisclosure/2014/May/138
seclists.org/fulldisclosure/2014/May/140
svn.apache.org/viewvc?view=revision&revision=1578812
svn.apache.org/viewvc?view=revision&revision=1578814
svn.apache.org/viewvc?view=revision&revision=1580473
tomcat.apache.org/security-6.html
tomcat.apache.org/security-7.html
tomcat.apache.org/security-8.html
www-01.ibm.com/support/docview.wss?uid=swg21678231
www-01.ibm.com/support/docview.wss?uid=swg21680603
www-01.ibm.com/support/docview.wss?uid=swg21681528
www.debian.org/security/2016/dsa-3447
www.debian.org/security/2016/dsa-3530
www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
www.vmware.com/security/advisories/VMSA-2014-0012.html
github.com/advisories/GHSA-xh5x-j8jf-pcpx
github.com/apache/tomcat/commit/184cdc0d3f03f5737e12d21fff246d7285034597
github.com/apache/tomcat/commit/fffd63a3bd3a5475379b7c074820a5463b7663b3
github.com/apache/tomcat80/commit/990de53ab923c126f7402090a4ca53df4bb80cbd
h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013
lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2014-0099
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.005 Low
EPSS
Percentile
75.6%