Detections
Analytics

CVE-2011-4858

medium

Description

Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

References

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18886

https://github.com/FireFart/HashCollision-DOS-POC/blob/master/HashtablePOC.py

https://bugzilla.redhat.com/show_bug.cgi?id=750521

http://www.securityfocus.com/bid/51200

http://www.ocert.org/advisories/ocert-2011-003.html

http://www.nruns.com/_downloads/advisory28122011.pdf

http://www.kb.cert.org/vuls/id/903934

http://www.debian.org/security/2012/dsa-2401

http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

http://secunia.com/advisories/55115

http://secunia.com/advisories/54971

http://secunia.com/advisories/48791

http://secunia.com/advisories/48790

http://secunia.com/advisories/48549

http://rhn.redhat.com/errata/RHSA-2012-0406.html

http://rhn.redhat.com/errata/RHSA-2012-0325.html

http://rhn.redhat.com/errata/RHSA-2012-0089.html

http://rhn.redhat.com/errata/RHSA-2012-0078.html

http://rhn.redhat.com/errata/RHSA-2012-0077.html

http://rhn.redhat.com/errata/RHSA-2012-0076.html

http://rhn.redhat.com/errata/RHSA-2012-0075.html

http://rhn.redhat.com/errata/RHSA-2012-0074.html

http://marc.info/?l=bugtraq&m=136485229118404&w=2

http://marc.info/?l=bugtraq&m=133294394108746&w=2

http://marc.info/?l=bugtraq&m=132871655717248&w=2

http://mail-archives.apache.org/mod_mbox/tomcat-announce/201112.mbox/%3c4EFB9800.5010106%40apache.org%3e

Details

Source: Mitre, NVD

Published: 2012-01-05

Updated: 2023-11-07

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Severity: Medium