CVE-2013-4322

MEDIUM severity · CVSS 4.3 · Improper input validation

4.3CVSS MEDIUM

Summary

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544.

Impact & exploitability

Attack vectorNetwork

Attack complexity—

Privileges required—

User interaction—

Confidentiality impactNone

Integrity impactNone

Availability impact—

Exploit probability (EPSS)36%

AV:N/AC:M/Au:N/C:N/I:N/A:P

Affected products we track (1)

Apache Tomcat

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
http://advisories.mageia.org/MGASA-2014-0148.html
http://marc.info/?l=bugtraq&m=144498216801440&w=2
http://seclists.org/fulldisclosure/2014/Dec/23
http://secunia.com/advisories/59036
http://secunia.com/advisories/59675
http://secunia.com/advisories/59722
http://secunia.com/advisories/59724
http://secunia.com/advisories/59873