Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.4
CVSSv2

CVE-2014-0227

Published: 16/02/2015 Updated: 07/11/2023
CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10
VMScore: 570
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:P
Subscribe to Tomcat

Vulnerability Summary

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x prior to 6.0.42, 7.x prior to 7.0.55, and 8.x prior to 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote malicious users to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache tomcat 7.0.2

apache tomcat 6.0.33

apache tomcat 6.0.0

apache tomcat 7.0.49

apache tomcat 6.0.39

apache tomcat 7.0.12

apache tomcat 6.0.6

apache tomcat 7.0.53

apache tomcat 6.0.4

apache tomcat 7.0.20

apache tomcat 6.0.11

apache tomcat 7.0.34

apache tomcat 7.0.8

apache tomcat 7.0.1

apache tomcat 7.0.5

apache tomcat 7.0.4

apache tomcat 6.0.7

apache tomcat 7.0.22

apache tomcat 7.0.39

apache tomcat 7.0.26

apache tomcat 7.0.46

apache tomcat 8.0.5

apache tomcat 6.0.15

apache tomcat 7.0.28

apache tomcat 8.0.1

apache tomcat 7.0.0

apache tomcat 7.0.50

apache tomcat 7.0.6

apache tomcat 8.0.0

apache tomcat 7.0.18

apache tomcat 6.0.20

apache tomcat 7.0.14

apache tomcat 6.0.9

apache tomcat 6.0.10

apache tomcat 6.0.31

apache tomcat 6.0.29

apache tomcat 7.0.48

apache tomcat 7.0.11

apache tomcat 6.0.3

apache tomcat 7.0.23

apache tomcat 6.0.1

apache tomcat 6.0.24

apache tomcat 7.0.44

apache tomcat 6.0.37

apache tomcat 6.0.17

apache tomcat 7.0.7

apache tomcat 7.0.52

apache tomcat 7.0.42

apache tomcat 6.0.32

apache tomcat 6.0.28

apache tomcat 7.0.37

apache tomcat 7.0.29

apache tomcat 7.0.45

apache tomcat 7.0.13

apache tomcat 7.0.47

apache tomcat 6.0.14

apache tomcat 7.0.41

apache tomcat 7.0.31

apache tomcat 7.0.30

apache tomcat 7.0.15

apache tomcat 7.0.19

apache tomcat 7.0.16

apache tomcat 6.0.41

apache tomcat 7.0.10

apache tomcat 7.0.36

apache tomcat 7.0.25

apache tomcat 6.0.12

apache tomcat 7.0.54

apache tomcat 7.0.35

apache tomcat 8.0.3

apache tomcat 6.0.18

apache tomcat 7.0.43

apache tomcat 6.0.2

apache tomcat 7.0.32

apache tomcat 7.0.38

apache tomcat 6.0.5

apache tomcat 7.0.21

apache tomcat 7.0.27

apache tomcat 7.0.24

apache tomcat 7.0.17

apache tomcat 7.0.40

apache tomcat 6.0.30

apache tomcat 7.0.9

apache tomcat 6.0.13

apache tomcat 8.0.8

apache tomcat 7.0.3

apache tomcat 6.0.8

apache tomcat 6.0.26

apache tomcat 6.0.19

apache tomcat 6.0.27

apache tomcat 6.0.35

apache tomcat 6.0.16

apache tomcat 6.0.36

apache tomcat 7.0.33

Vendor Advisories

Debian CVElist Bug Report Logs: tomcat6: CVE-2014-0227: HTTP request smuggling or DoS by streaming malformed data
Debian Bug report logs - #785312 tomcat6: CVE-2014-0227: HTTP request smuggling or DoS by streaming malformed data Package: src:tomcat6; Maintainer for src:tomcat6 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Santiago Ruano Rincón <santiagorr@riseupnet> Date: Thu, 14 May 20 ...
Ubuntu Security Notice: tomcat7 vulnerabilities
Several security issues were fixed in Tomcat ...
Ubuntu Security Notice: tomcat6 vulnerabilities
Several security issues were fixed in Tomcat ...
Debian Security Advisories: DSA-3447-1 tomcat7 -- security update
It was discovered that malicious web applications could use the Expression Language to bypass protections of a Security Manager as expressions were evaluated within a privileged code section For the oldstable distribution (wheezy), this problem has been fixed in version 7028-4+deb7u3 This update also provides fixes for CVE-2013-4444, CVE-2014-0 ...
Amazon Linux AMI: ALAS-2015-527
It was discovered that JBoss Web / Apache Tomcat did not limit the length of chunk sizes when using chunked transfer encoding A remote attacker could use this flaw to perform a denial of service attack against JBoss Web / Apache Tomcat by streaming an unlimited quantity of data, leading to excessive consumption of server resources (CVE-2014-0075) ...
Amazon Linux AMI: ALAS-2015-526
It was discovered that JBoss Web / Apache Tomcat did not limit the length of chunk sizes when using chunked transfer encoding A remote attacker could use this flaw to perform a denial of service attack against JBoss Web / Apache Tomcat by streaming an unlimited quantity of data, leading to excessive consumption of server resources (CVE-2014-0075) ...
Amazon Linux AMI: ALAS-2015-525
It was discovered that the ChunkedInputFilter in Tomcat did not fail subsequent attempts to read input after malformed chunked encoding was detected A remote attacker could possibly use this flaw to make Tomcat process part of the request body as new request, or cause a denial of service ...

References

CWE-19http://tomcat.apache.org/security-7.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=1109196http://archives.neohapsis.com/archives/bugtraq/2015-02/0067.htmlhttps://source.jboss.org/changelog/JBossWeb?cs=2455http://tomcat.apache.org/security-6.htmlhttp://svn.apache.org/viewvc?view=revision&revision=1600984http://tomcat.apache.org/security-8.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-February/150282.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0675.htmlhttp://www.securityfocus.com/bid/72717http://www.mandriva.com/security/advisories?name=MDVSA-2015:052http://advisories.mageia.org/MGASA-2015-0081.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2015:053http://rhn.redhat.com/errata/RHSA-2015-0720.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2015:084http://rhn.redhat.com/errata/RHSA-2015-0765.htmlhttp://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.htmlhttp://www.debian.org/security/2016/dsa-3530http://marc.info/?l=bugtraq&m=143403519711434&w=2http://marc.info/?l=bugtraq&m=143393515412274&w=2http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlhttp://www.debian.org/security/2016/dsa-3447http://www.ubuntu.com/usn/USN-2655-1http://rhn.redhat.com/errata/RHSA-2015-0991.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0983.htmlhttp://www.securitytracker.com/id/1032791http://www.ubuntu.com/usn/USN-2654-1https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3Ehttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785312https://nvd.nist.govhttps://usn.ubuntu.com/2654-1/
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-47626CVE-2024-3400physicalCVE-2024-31426CVE-2024-22423CVE-2024-22438injectlocal usersCVE-2024-3797
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook