Lucene search

GitHub Advisory DatabaseGHSA-XX68-JFCG-XMMF

HistoryDec 21, 2018 - 5:51 p.m.

Commons FileUpload Denial of service vulnerability

2018-12-2117:51:42

CWE-20

GitHub Advisory Database

github.com

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.166 Low

EPSS

Percentile

96.0%

JSON

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop’s intended exit conditions.

CPENameOperatorVersion
org.apache.tomcat:tomcatle7.0.50
org.apache.tomcat:tomcatle8.0.1
commons-fileupload:commons-fileuploadlt1.3.1

Name	Operator	Version
org.apache.tomcat:tomcat	le	7.0.50
org.apache.tomcat:tomcat	le	8.0.1
commons-fileupload:commons-fileupload	lt	1.3.1

References

advisories.mageia.org/MGASA-2014-0110.html

blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html

jvn.jp/en/jp/JVN14876762/index.html

jvndb.jvn.jp/jvndb/JVNDB-2014-000017

mail-archives.apache.org/mod_mbox/commons-dev/201402.mbox/%[email protected]%3E

marc.info/?l=bugtraq&m=143136844732487&w=2

packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html

rhn.redhat.com/errata/RHSA-2014-0252.html

rhn.redhat.com/errata/RHSA-2014-0253.html

rhn.redhat.com/errata/RHSA-2014-0400.html

seclists.org/fulldisclosure/2014/Dec/23

secunia.com/advisories/57915

secunia.com/advisories/58075

secunia.com/advisories/58976

secunia.com/advisories/59039

secunia.com/advisories/59041

secunia.com/advisories/59183

secunia.com/advisories/59184

secunia.com/advisories/59185

secunia.com/advisories/59187

secunia.com/advisories/59232

secunia.com/advisories/59399

secunia.com/advisories/59492

secunia.com/advisories/59500

secunia.com/advisories/59725

secunia.com/advisories/60475

secunia.com/advisories/60753

svn.apache.org/r1565143

tomcat.apache.org/security-7.html

tomcat.apache.org/security-8.html

www-01.ibm.com/support/docview.wss?uid=swg21669554

www-01.ibm.com/support/docview.wss?uid=swg21675432

www-01.ibm.com/support/docview.wss?uid=swg21676091

www-01.ibm.com/support/docview.wss?uid=swg21676092

www-01.ibm.com/support/docview.wss?uid=swg21676401

www-01.ibm.com/support/docview.wss?uid=swg21676403

www-01.ibm.com/support/docview.wss?uid=swg21676405

www-01.ibm.com/support/docview.wss?uid=swg21676410

www-01.ibm.com/support/docview.wss?uid=swg21676656

www-01.ibm.com/support/docview.wss?uid=swg21676853

www-01.ibm.com/support/docview.wss?uid=swg21677691

www-01.ibm.com/support/docview.wss?uid=swg21677724

www-01.ibm.com/support/docview.wss?uid=swg21681214

www.debian.org/security/2014/dsa-2856

www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-015/index.html

www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-016/index.html

www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-017/index.html

www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm

www.mandriva.com/security/advisories?name=MDVSA-2015:084

www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

www.securityfocus.com/archive/1/532549/100/0/threaded

www.securityfocus.com/archive/1/534161/100/0/threaded

www.securityfocus.com/bid/65400

www.ubuntu.com/usn/USN-2130-1

www.vmware.com/security/advisories/VMSA-2014-0007.html

www.vmware.com/security/advisories/VMSA-2014-0008.html

www.vmware.com/security/advisories/VMSA-2014-0012.html

bugzilla.redhat.com/show_bug.cgi?id=1062337

github.com/advisories/GHSA-xx68-jfcg-xmmf

github.com/apache/commons-fileupload/commit/c61ff05b3241cb14d989b67209e57aa71540417a

github.com/apache/tomcat/commit/29384723d8d9645b87e05be9fa369a4deeb78b9c

h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755

h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917

h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722

nvd.nist.gov/vuln/detail/CVE-2014-0050

svn.apache.org/viewvc?view=revision&revision=1565143

svn.apache.org/viewvc?view=revision&revision=1565163

svn.apache.org/viewvc?view=revision&revision=1565169

tomcat.apache.org/security-7.html

tomcat.apache.org/security-8.html

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.166 Low

EPSS

Percentile

96.0%

JSON

Commons FileUpload Denial of service vulnerability

References

Related