CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
EPSS
Percentile
94.1%
Low: Denial of Service CVE-2014-0230
When a response for a request with a request body is returned to the user agent before the request body is fully read, by default Tomcat swallows the remaining request body so that the next request on the connection may be processed. There was no limit to the size of request body that Tomcat would swallow. This permitted a limited Denial of Service as Tomcat would never close the connection and a processing thread would remain allocated to the connection.
This was fixed in revision 1659537.
This issue was disclosed to the Tomcat security team by AntBean@secdig from the Baidu Security Team on 4 June 2014 and made public on 9 April 2015.
Affects: 6.0.0 to 6.0.43
Moderate: Security Manager bypass CVE-2014-7810
Malicious web applications could use expression language to bypass the protections of a Security Manager as expressions were evaluated within a privileged code section.
This was fixed in revisions 1645366 and 1659538.
This issue was identified by the Tomcat security team on 2 November 2014 and made public on 14 May 2015.
Affects: 6.0.0 to 6.0.43