CVE-2014-0227

medium

Description

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding.

References

https://source.jboss.org/changelog/JBossWeb?cs=2455

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E

https://bugzilla.redhat.com/show_bug.cgi?id=1109196

http://www.ubuntu.com/usn/USN-2655-1

http://www.ubuntu.com/usn/USN-2654-1

http://www.securitytracker.com/id/1032791

http://www.securityfocus.com/bid/72717

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

http://www.mandriva.com/security/advisories?name=MDVSA-2015:084

http://www.mandriva.com/security/advisories?name=MDVSA-2015:053

http://www.mandriva.com/security/advisories?name=MDVSA-2015:052

http://www.debian.org/security/2016/dsa-3530

http://www.debian.org/security/2016/dsa-3447

http://tomcat.apache.org/security-8.html

http://tomcat.apache.org/security-7.html

http://tomcat.apache.org/security-6.html

http://svn.apache.org/viewvc?view=revision&revision=1600984

http://rhn.redhat.com/errata/RHSA-2015-0991.html

http://rhn.redhat.com/errata/RHSA-2015-0983.html

http://rhn.redhat.com/errata/RHSA-2015-0765.html

http://rhn.redhat.com/errata/RHSA-2015-0720.html

http://rhn.redhat.com/errata/RHSA-2015-0675.html

http://marc.info/?l=bugtraq&m=143403519711434&w=2

http://marc.info/?l=bugtraq&m=143393515412274&w=2

http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150282.html

http://archives.neohapsis.com/archives/bugtraq/2015-02/0067.html

http://advisories.mageia.org/MGASA-2015-0081.html

Details

Source: Mitre, NVD

Published: 2015-02-16

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Severity: Medium