Lucene search

[email protected]NVD:CVE-2013-4286

HistoryFeb 26, 2014 - 2:55 p.m.

CVE-2013-4286

2014-02-2614:55:08

CWE-20

[email protected]

web.nvd.nist.gov

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

AI Score

8.2

Confidence

High

EPSS

0.972

Percentile

99.8%

JSON

Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request’s length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a “Transfer-Encoding: chunked” header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.

Affected configurations

Nvd

Node

apachetomcatMatch7.0.0

apachetomcatMatch7.0.0beta

apachetomcatMatch7.0.1

apachetomcatMatch7.0.2

apachetomcatMatch7.0.2beta

apachetomcatMatch7.0.3

apachetomcatMatch7.0.4

apachetomcatMatch7.0.4beta

apachetomcatMatch7.0.10

apachetomcatMatch7.0.11

apachetomcatMatch7.0.12

apachetomcatMatch7.0.13

apachetomcatMatch7.0.14

apachetomcatMatch7.0.15

apachetomcatMatch7.0.16

apachetomcatMatch7.0.17

apachetomcatMatch7.0.18

apachetomcatMatch7.0.19

apachetomcatMatch7.0.20

apachetomcatMatch7.0.21

apachetomcatMatch7.0.22

apachetomcatMatch7.0.23

apachetomcatMatch7.0.24

apachetomcatMatch7.0.25

apachetomcatMatch7.0.26

apachetomcatMatch7.0.27

apachetomcatMatch7.0.28

apachetomcatMatch7.0.29

apachetomcatMatch7.0.30

apachetomcatMatch7.0.31

apachetomcatMatch7.0.32

apachetomcatMatch7.0.33

apachetomcatMatch7.0.34

apachetomcatMatch7.0.35

apachetomcatMatch7.0.36

apachetomcatMatch7.0.37

apachetomcatMatch7.0.38

apachetomcatMatch7.0.39

apachetomcatMatch7.0.40

apachetomcatMatch7.0.41

apachetomcatMatch7.0.42

apachetomcatMatch7.0.43

apachetomcatMatch7.0.44

apachetomcatMatch7.0.45

apachetomcatMatch7.0.46

Node

apachetomcatMatch8.0.0rc1

apachetomcatMatch8.0.0rc2

Node

apachetomcatRange≤6.0.37

apachetomcatMatch1.1.3

apachetomcatMatch3.0

apachetomcatMatch3.1

apachetomcatMatch3.1.1

apachetomcatMatch3.2

apachetomcatMatch3.2.1

apachetomcatMatch3.2.2

apachetomcatMatch3.2.2beta2

apachetomcatMatch3.2.3

apachetomcatMatch3.2.4

apachetomcatMatch3.3

apachetomcatMatch3.3.1

apachetomcatMatch3.3.1a

apachetomcatMatch3.3.2

apachetomcatMatch4

apachetomcatMatch4.0.0

apachetomcatMatch4.0.1

apachetomcatMatch4.0.2

apachetomcatMatch4.0.3

apachetomcatMatch4.0.4

apachetomcatMatch4.0.5

apachetomcatMatch4.0.6

apachetomcatMatch4.1.0

apachetomcatMatch4.1.1

apachetomcatMatch4.1.2

apachetomcatMatch4.1.3

apachetomcatMatch4.1.3beta

apachetomcatMatch4.1.9beta

apachetomcatMatch4.1.10

apachetomcatMatch4.1.12

apachetomcatMatch4.1.15

apachetomcatMatch4.1.24

apachetomcatMatch4.1.28

apachetomcatMatch4.1.29

apachetomcatMatch4.1.31

apachetomcatMatch4.1.36

apachetomcatMatch5

apachetomcatMatch5.0.0

apachetomcatMatch5.0.1

apachetomcatMatch5.0.2

apachetomcatMatch5.0.3

apachetomcatMatch5.0.4

apachetomcatMatch5.0.5

apachetomcatMatch5.0.6

apachetomcatMatch5.0.7

apachetomcatMatch5.0.8

apachetomcatMatch5.0.9

apachetomcatMatch5.0.10

apachetomcatMatch5.0.11

apachetomcatMatch5.0.12

apachetomcatMatch5.0.13

apachetomcatMatch5.0.14

apachetomcatMatch5.0.15

apachetomcatMatch5.0.16

apachetomcatMatch5.0.17

apachetomcatMatch5.0.18

apachetomcatMatch5.0.19

apachetomcatMatch5.0.21

apachetomcatMatch5.0.22

apachetomcatMatch5.0.23

apachetomcatMatch5.0.24

apachetomcatMatch5.0.25

apachetomcatMatch5.0.26

apachetomcatMatch5.0.27

apachetomcatMatch5.0.28

apachetomcatMatch5.0.29

apachetomcatMatch5.0.30

apachetomcatMatch5.5.0

apachetomcatMatch5.5.1

apachetomcatMatch5.5.2

apachetomcatMatch5.5.3

apachetomcatMatch5.5.4

apachetomcatMatch5.5.5

apachetomcatMatch5.5.6

apachetomcatMatch5.5.7

apachetomcatMatch5.5.8

apachetomcatMatch5.5.9

apachetomcatMatch5.5.10

apachetomcatMatch5.5.11

apachetomcatMatch5.5.12

apachetomcatMatch5.5.13

apachetomcatMatch5.5.14

apachetomcatMatch5.5.15

apachetomcatMatch5.5.16

apachetomcatMatch5.5.17

apachetomcatMatch5.5.18

apachetomcatMatch5.5.19

apachetomcatMatch5.5.20

apachetomcatMatch5.5.21

apachetomcatMatch5.5.22

apachetomcatMatch5.5.23

apachetomcatMatch5.5.24

apachetomcatMatch5.5.25

apachetomcatMatch5.5.26

apachetomcatMatch5.5.27

apachetomcatMatch5.5.28

apachetomcatMatch5.5.29

apachetomcatMatch5.5.30

apachetomcatMatch5.5.31

apachetomcatMatch5.5.32

apachetomcatMatch5.5.33

apachetomcatMatch5.5.34

apachetomcatMatch5.5.35

apachetomcatMatch6

apachetomcatMatch6.0

apachetomcatMatch6.0.0

apachetomcatMatch6.0.0alpha

apachetomcatMatch6.0.1

apachetomcatMatch6.0.1alpha

apachetomcatMatch6.0.2

apachetomcatMatch6.0.2alpha

apachetomcatMatch6.0.2beta

apachetomcatMatch6.0.3

apachetomcatMatch6.0.10

apachetomcatMatch6.0.11

apachetomcatMatch6.0.12

apachetomcatMatch6.0.13

apachetomcatMatch6.0.14

apachetomcatMatch6.0.15

apachetomcatMatch6.0.16

apachetomcatMatch6.0.17

apachetomcatMatch6.0.18

apachetomcatMatch6.0.19

apachetomcatMatch6.0.20

apachetomcatMatch6.0.24

apachetomcatMatch6.0.26

apachetomcatMatch6.0.27

apachetomcatMatch6.0.28

apachetomcatMatch6.0.29

apachetomcatMatch6.0.30

apachetomcatMatch6.0.31

apachetomcatMatch6.0.32

apachetomcatMatch6.0.33

apachetomcatMatch6.0.35

apachetomcatMatch6.0.36

VendorProductVersionCPE
apachetomcat7.0.0cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
apachetomcat7.0.0cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*
apachetomcat7.0.1cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
apachetomcat7.0.2cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
apachetomcat7.0.2cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*
apachetomcat7.0.3cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*
apachetomcat7.0.4cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
apachetomcat7.0.4cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*
apachetomcat7.0.10cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*
apachetomcat7.0.11cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	tomcat	7.0.0	cpe:2.3:a:apache:tomcat:7.0.0:::::::*
apache	tomcat	7.0.0	cpe:2.3:a:apache:tomcat:7.0.0:beta::::::
apache	tomcat	7.0.1	cpe:2.3:a:apache:tomcat:7.0.1:::::::*
apache	tomcat	7.0.2	cpe:2.3:a:apache:tomcat:7.0.2:::::::*
apache	tomcat	7.0.2	cpe:2.3:a:apache:tomcat:7.0.2:beta::::::
apache	tomcat	7.0.3	cpe:2.3:a:apache:tomcat:7.0.3:::::::*
apache	tomcat	7.0.4	cpe:2.3:a:apache:tomcat:7.0.4:::::::*
apache	tomcat	7.0.4	cpe:2.3:a:apache:tomcat:7.0.4:beta::::::
apache	tomcat	7.0.10	cpe:2.3:a:apache:tomcat:7.0.10:::::::*
apache	tomcat	7.0.11	cpe:2.3:a:apache:tomcat:7.0.11:::::::*

Rows per page:

1-10 of 1831

References

advisories.mageia.org/MGASA-2014-0148.html

marc.info/?l=bugtraq&m=141390017113542&w=2

marc.info/?l=bugtraq&m=144498216801440&w=2

rhn.redhat.com/errata/RHSA-2014-0343.html

rhn.redhat.com/errata/RHSA-2014-0344.html

rhn.redhat.com/errata/RHSA-2014-0345.html

seclists.org/fulldisclosure/2014/Dec/23

secunia.com/advisories/57675

secunia.com/advisories/59036

secunia.com/advisories/59675

secunia.com/advisories/59722

secunia.com/advisories/59724

secunia.com/advisories/59733

secunia.com/advisories/59873

svn.apache.org/viewvc?view=revision&revision=1521829

svn.apache.org/viewvc?view=revision&revision=1521854

svn.apache.org/viewvc?view=revision&revision=1552565

tomcat.apache.org/security-6.html

tomcat.apache.org/security-7.html

tomcat.apache.org/security-8.html

www-01.ibm.com/support/docview.wss?uid=swg21667883

www-01.ibm.com/support/docview.wss?uid=swg21675886

www-01.ibm.com/support/docview.wss?uid=swg21677147

www-01.ibm.com/support/docview.wss?uid=swg21678113

www-01.ibm.com/support/docview.wss?uid=swg21678231

www.debian.org/security/2016/dsa-3530

www.mandriva.com/security/advisories?name=MDVSA-2015:052

www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

www.securityfocus.com/archive/1/534161/100/0/threaded

www.securityfocus.com/bid/65773

www.ubuntu.com/usn/USN-2130-1

www.vmware.com/security/advisories/VMSA-2014-0012.html

bugzilla.redhat.com/show_bug.cgi?id=1069921

h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013

lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E

rhn.redhat.com/errata/RHSA-2014-0686.html

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

AI Score

8.2

Confidence

High

EPSS

0.972

Percentile

99.8%

JSON

Related for NVD:CVE-2013-4286