Apache TomcatTOMCAT:6A4BFE59973660D515D03A0117A1C709Fixed in Apache Tomcat 8.0.9
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.948 High
EPSS
Percentile
99.2%
Important: Request Smuggling CVE-2014-0227
It was possible to craft a malformed chunk as part of a chunked request that caused Tomcat to read part of the request body as a new request.
This was fixed in revisions 1600984, 1601329, 1601330 and 1601332.
This issue was identified by the Tomcat security team on 30 May 2014 and made public on 9 February 2015.
Affects: 8.0.0-RC1 to 8.0.8
Low: Denial of Service CVE-2014-0230
When a response for a request with a request body is returned to the user agent before the request body is fully read, by default Tomcat swallows the remaining request body so that the next request on the connection may be processed. There was no limit to the size of request body that Tomcat would swallow. This permitted a limited Denial of Service as Tomcat would never close the connection and a processing thread would remain allocated to the connection.
This was fixed in revision 1603770 and improved in revisions 1603775, 1603779, 1609175 and 1659294.
This issue was disclosed to the Tomcat security team by AntBean@secdig from the Baidu Security Team on 4 June 2014 and made public on 9 April 2015.
Affects: 8.0.0-RC1 to 8.0.8
| CPE | Name | Operator | Version |
|---|---|---|---|
| apache tomcat | ge | 8.0.0-RC1 | |
| apache tomcat | le | 8.0.8 |
Related
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.948 High
EPSS
Percentile
99.2%