CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
EPSS
Percentile
99.3%
Important: Request Smuggling CVE-2014-0227
It was possible to craft a malformed chunk as part of a chunked request that caused Tomcat to read part of the request body as a new request.
This was fixed in revision 1601333.
This issue was identified by the Tomcat security team on 30 May 2014 and made public on 9 February 2015.
Affects: 7.0.0 to 7.0.54
Low: Denial of Service CVE-2014-0230
When a response for a request with a request body is returned to the user agent before the request body is fully read, by default Tomcat swallows the remaining request body so that the next request on the connection may be processed. There was no limit to the size of request body that Tomcat would swallow. This permitted a limited Denial of Service as Tomcat would never close the connection and a processing thread would remain allocated to the connection.
This was fixed in revision 1603781 and improved in revisions 1603811, 1609176 and 1659295.
This issue was disclosed to the Tomcat security team by AntBean@secdig from the Baidu Security Team on 4 June 2014 and made public on 9 April 2015.
Affects: 7.0.0 to 7.0.54