6.4
CVSSv2

CVE-2010-2227

Published: 13/07/2010 Updated: 07/11/2023
CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10
VMScore: 720
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:P

Vulnerability Summary

Apache Tomcat 5.5.0 up to and including 5.5.29, 6.0.0 up to and including 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote malicious users to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with "recycling of a buffer."

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache tomcat 5.5.27

apache tomcat 5.5.18

apache tomcat 5.5.12

apache tomcat 5.5.14

apache tomcat 5.5.10

apache tomcat 5.5.4

apache tomcat 5.5.7

apache tomcat 5.5.1

apache tomcat 5.5.11

apache tomcat 5.5.28

apache tomcat 5.5.6

apache tomcat 5.5.26

apache tomcat 5.5.20

apache tomcat 5.5.15

apache tomcat 5.5.5

apache tomcat 5.5.21

apache tomcat 5.5.22

apache tomcat 5.5.3

apache tomcat 5.5.9

apache tomcat 5.5.25

apache tomcat 5.5.2

apache tomcat 5.5.0

apache tomcat 5.5.13

apache tomcat 5.5.24

apache tomcat 5.5.8

apache tomcat 5.5.16

apache tomcat 5.5.17

apache tomcat 5.5.29

apache tomcat 5.5.19

apache tomcat 5.5.23

apache tomcat 6.0.6

apache tomcat 6.0.11

apache tomcat 6.0.7

apache tomcat 6.0.4

apache tomcat 6.0.15

apache tomcat 6.0.20

apache tomcat 6.0.10

apache tomcat 6.0.3

apache tomcat 6.0.9

apache tomcat 6.0.24

apache tomcat 6.0.17

apache tomcat 6.0.0

apache tomcat 6.0.14

apache tomcat 6.0.1

apache tomcat 6.0.12

apache tomcat 6.0.18

apache tomcat 6.0.5

apache tomcat 6.0.2

apache tomcat 6.0.13

apache tomcat 6.0.26

apache tomcat 6.0.19

apache tomcat 6.0.27

apache tomcat 6.0.16

apache tomcat 6.0.8

apache tomcat 7.0.0

Vendor Advisories

It was discovered that Tomcat incorrectly handled invalid Transfer-Encoding headers A remote attacker could send specially crafted requests containing invalid headers to the server and cause a denial of service, or possibly obtain sensitive information from other requests ...
Debian Bug report logs - #588813 CVE-2010-2227: DoS and information disclosure Package: tomcat6; Maintainer for tomcat6 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Moritz Muehlenhoff <jmm@inutilorg> Date: Mon, 12 Jul 2010 15:24:01 UTC Severity: grave Tags: security Found ...
Synopsis Important: tomcat5 security update Type/Severity Security Advisory: Important Topic Updated tomcat5 packages that fix multiple security issues are nowavailable for Red Hat Enterprise Linux 5The Red Hat Security Response Team has rated this update as havingimportant security impact Common Vulnerab ...
Synopsis Important: tomcat5 security update Type/Severity Security Advisory: Important Topic Updated tomcat5 packages that fix one security issue are now available forRed Hat Developer Suite 3The Red Hat Security Response Team has rated this update as havingimportant security impact A Common Vulnerability ...
Synopsis Important: jbossweb security update Type/Severity Security Advisory: Important Topic An updated jbossweb package that fixes two security issues is now availablefor JBoss Enterprise Application Platform 42 and 43 for Red HatEnterprise Linux 4 and 5The Red Hat Security Response Team has rated this ...
Synopsis Important: tomcat5 and tomcat6 security update Type/Severity Security Advisory: Important Topic Updated tomcat5 and tomcat6 packages that fix one security issue are nowavailable for JBoss Enterprise Web Server 101 for Red Hat EnterpriseLinux 4 and 5The Red Hat Security Response Team has rated th ...
Synopsis Important: tomcat5 security update Type/Severity Security Advisory: Important Topic Updated tomcat5 packages that fix three security issues are now availablefor Red Hat Application Server v2The Red Hat Security Response Team has rated this update as havingimportant security impact Common Vulnerab ...

References

CWE-119http://tomcat.apache.org/security-7.htmlhttp://tomcat.apache.org/security-5.htmlhttp://svn.apache.org/viewvc?view=revision&revision=959428http://svn.apache.org/viewvc?view=revision&revision=958977http://securitytracker.com/id?1024180http://tomcat.apache.org/security-6.htmlhttp://www.securityfocus.com/bid/41544http://svn.apache.org/viewvc?view=revision&revision=958911http://www.redhat.com/support/errata/RHSA-2010-0583.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0580.htmlhttp://secunia.com/advisories/40813http://www.redhat.com/support/errata/RHSA-2010-0581.htmlhttp://www.vupen.com/english/advisories/2010/1986http://www.redhat.com/support/errata/RHSA-2010-0582.htmlhttp://geronimo.apache.org/22x-security-report.htmlhttp://geronimo.apache.org/21x-security-report.htmlhttp://secunia.com/advisories/41025http://www.mandriva.com/security/advisories?name=MDVSA-2010:176http://www.mandriva.com/security/advisories?name=MDVSA-2010:177http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.htmlhttp://www.vupen.com/english/advisories/2010/2868http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050207.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-November/050214.htmlhttp://secunia.com/advisories/42079http://marc.info/?l=bugtraq&m=129070310906557&w=2http://www.vupen.com/english/advisories/2010/3056http://secunia.com/advisories/42368http://www.novell.com/support/viewContent.do?externalId=7007275http://www.novell.com/support/viewContent.do?externalId=7007274http://secunia.com/advisories/42454http://www.vmware.com/security/advisories/VMSA-2011-0003.htmlhttp://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.htmlhttp://secunia.com/advisories/43310http://secunia.com/advisories/44183http://www.debian.org/security/2011/dsa-2207http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.htmlhttp://support.apple.com/kb/HT5002http://marc.info/?l=bugtraq&m=136485229118404&w=2http://marc.info/?l=bugtraq&m=139344343412337&w=2http://secunia.com/advisories/57126https://exchange.xforce.ibmcloud.com/vulnerabilities/60264https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18532http://www.securityfocus.com/archive/1/516397/100/0/threadedhttp://www.securityfocus.com/archive/1/512272/100/0/threadedhttps://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3Ehttps://nvd.nist.govhttps://usn.ubuntu.com/976-1/