7.8
HIGH

CVE-2014-0230

Published: 07/06/2015 Updated: 19/07/2018
CVSS v2 Base Score: 7.8 | Impact Score: 6.9 | Exploitability Score: 10

Vulnerability Summary

Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
Access Complexity: LOW
Authentication: NONE
Access Vector: NETWORK
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: COMPLETE

Affected Products

Vendor Product Versions
ApacheTomcat6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.0.16, 6.0.17, 6.0.18, 6.0.19, 6.0.20, 6.0.24, 6.0.26, 6.0.27, 6.0.28, 6.0.29, 6.0.30, 6.0.31, 6.0.32, 6.0.33, 6.0.35, 6.0.36, 6.0.37, 6.0.39, 6.0.41, 6.0.43, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.12, 7.0.13, 7.0.14, 7.0.15, 7.0.16, 7.0.17, 7.0.18, 7.0.19, 7.0.20, 7.0.21, 7.0.22, 7.0.23, 7.0.24, 7.0.25, 7.0.26, 7.0.27, 7.0.28, 7.0.29, 7.0.30, 7.0.31, 7.0.32, 7.0.33, 7.0.34, 7.0.35, 7.0.36, 7.0.37, 7.0.38, 7.0.39, 7.0.40, 7.0.41, 7.0.42, 7.0.43, 7.0.44, 7.0.45, 7.0.46, 7.0.47, 7.0.48, 7.0.49, 7.0.50, 7.0.52, 7.0.53, 7.0.54, 8.0.0, 8.0.1, 8.0.3, 8.0.5, 8.0.8
OracleVirtualization4.63, 4.71, 5.1

Github Repositories

References

CWE-399http://mail-archives.apache.org/mod_mbox/tomcat-announce/201505.mbox/%3C554949D1.8030904%40apache.org%3Ehttp://marc.info/?l=bugtraq&m=144498216801440&w=2http://marc.info/?l=bugtraq&m=145974991225029&w=2http://openwall.com/lists/oss-security/2015/04/10/1http://rhn.redhat.com/errata/RHSA-2015-1621.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1622.htmlhttp://rhn.redhat.com/errata/RHSA-2015-2661.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0595.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0596.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0597.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0598.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0599.htmlhttp://svn.apache.org/viewvc?view=revision&revision=1603770http://svn.apache.org/viewvc?view=revision&revision=1603775http://svn.apache.org/viewvc?view=revision&revision=1603779http://tomcat.apache.org/security-6.htmlhttp://tomcat.apache.org/security-7.htmlhttp://tomcat.apache.org/security-8.htmlhttp://www.debian.org/security/2016/dsa-3447http://www.debian.org/security/2016/dsa-3530http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.htmlhttp://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.htmlhttp://www.securityfocus.com/bid/74475http://www.ubuntu.com/usn/USN-2654-1http://www.ubuntu.com/usn/USN-2655-1https://access.redhat.com/errata/RHSA-2015:2659https://access.redhat.com/errata/RHSA-2015:2660https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964https://issues.jboss.org/browse/JWS-219https://issues.jboss.org/browse/JWS-220