CVE-2010-2227

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with "recycling of a buffer."

References

http://geronimo.apache.org/21x-security-report.html

http://geronimo.apache.org/22x-security-report.html

http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html

http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050207.html

http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050214.html

http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html

http://marc.info/?l=bugtraq&m=129070310906557&w=2

http://marc.info/?l=bugtraq&m=136485229118404&w=2

http://marc.info/?l=bugtraq&m=139344343412337&w=2

http://secunia.com/advisories/40813

http://secunia.com/advisories/41025

http://secunia.com/advisories/42079

http://secunia.com/advisories/42368

http://secunia.com/advisories/42454

http://secunia.com/advisories/43310

http://secunia.com/advisories/44183

http://secunia.com/advisories/57126

http://securitytracker.com/id?1024180

http://support.apple.com/kb/HT5002

http://svn.apache.org/viewvc?view=revision&revision=958911

http://svn.apache.org/viewvc?view=revision&revision=958977

http://svn.apache.org/viewvc?view=revision&revision=959428

http://tomcat.apache.org/security-5.html

http://tomcat.apache.org/security-6.html

http://tomcat.apache.org/security-7.html

http://www.debian.org/security/2011/dsa-2207

http://www.mandriva.com/security/advisories?name=MDVSA-2010:176

http://www.mandriva.com/security/advisories?name=MDVSA-2010:177

http://www.novell.com/support/viewContent.do?externalId=7007274

http://www.novell.com/support/viewContent.do?externalId=7007275

http://www.redhat.com/support/errata/RHSA-2010-0580.html

http://www.redhat.com/support/errata/RHSA-2010-0581.html

http://www.redhat.com/support/errata/RHSA-2010-0582.html

http://www.redhat.com/support/errata/RHSA-2010-0583.html

http://www.securityfocus.com/archive/1/512272/100/0/threaded

http://www.securityfocus.com/archive/1/516397/100/0/threaded

http://www.securityfocus.com/bid/41544

http://www.vmware.com/security/advisories/VMSA-2011-0003.html

http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html

http://www.vupen.com/english/advisories/2010/1986

http://www.vupen.com/english/advisories/2010/2868

http://www.vupen.com/english/advisories/2010/3056

https://exchange.xforce.ibmcloud.com/vulnerabilities/60264

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18532

Details

Source: MITRE

Published: 2010-07-13

Updated: 2019-03-25

Type: CWE-119

Risk Information

CVSS v2

Base Score: 6.4

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:P

Impact Score: 4.9

Exploitability Score: 10

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.25:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.26:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.27:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.28:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.29:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*

Tenable Plugins

View all (31 total)

IDNameProductFamilySeverity
121115Apache Tomcat < 7.0.2 Denial of Service and Information DisclosureNessusWeb Servers
medium
89674VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0003) (remote check)NessusMisc.
critical
75759openSUSE Security Update : tomcat6 (openSUSE-SU-2010:0616-1)NessusSuSE Local Security Checks
medium
68076Oracle Linux 5 : tomcat5 (ELSA-2010-0580)NessusOracle Linux Local Security Checks
medium
63942RHEL 4 / 5 : jbossweb (RHSA-2010:0584)NessusRed Hat Local Security Checks
medium
60828Scientific Linux Security Update : tomcat5 on SL5.x i386/x86_64NessusScientific Linux Local Security Checks
medium
59677GLSA-201206-24 : Apache Tomcat: Multiple vulnerabilitiesNessusGentoo Local Security Checks
medium
59684HP Systems Insight Manager < 7.0 Multiple VulnerabilitiesNessusWindows
critical
56481Mac OS X Multiple Vulnerabilities (Security Update 2011-006)NessusMacOS X Local Security Checks
critical
53212Debian DSA-2207-1 : tomcat5.5 - several vulnerabilitiesNessusDebian Local Security Checks
medium
800611Apache Tomcat 7.0.x < 7.0.2 Denial of Service VulnerabilityLog Correlation EngineWeb Servers
medium
5791Apache Tomcat 7.0.x < 7.0.2 Denial of Service and Information DisclosureNessus Network MonitorWeb Servers
medium
51971VMSA-2011-0003 : Third-party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXNessusVMware ESX Local Security Checks
high
800613Apache Tomcat 5.5.x < 5.5.30 Multiple VulnerabilitiesLog Correlation EngineWeb Servers
medium
800595Apache Tomcat 6.0.x < 6.0.28 Multiple VulnerabilitiesLog Correlation EngineWeb Servers
medium
5788Apache Tomcat 6.0.x < 6.0.28 Multiple VulnerabilitiesNessus Network MonitorWeb Servers
medium
5786Apache Tomcat 5.5.x < 5.5.30 Multiple VulnerabilitiesNessus Network MonitorWeb Servers
medium
50593Fedora 14 : tomcat6-6.0.26-14.fc14 (2010-16528)NessusFedora Local Security Checks
medium
50439Fedora 13 : tomcat6-6.0.26-11.fc13 (2010-16270)NessusFedora Local Security Checks
medium
50438Fedora 12 : tomcat6-6.0.26-3.fc12 (2010-16248)NessusFedora Local Security Checks
medium
49930SuSE 10 Security Update : tomcat5 (ZYPP Patch Number 7099)NessusSuSE Local Security Checks
medium
49259openSUSE Security Update : tomcat6 (openSUSE-SU-2010:0616-1)NessusSuSE Local Security Checks
medium
49258openSUSE Security Update : tomcat6 (openSUSE-SU-2010:0616-1)NessusSuSE Local Security Checks
medium
49255SuSE9 Security Update : Tomcat (YOU Patch Number 12625)NessusSuSE Local Security Checks
medium
49207Mandriva Linux Security Advisory : tomcat5 (MDVSA-2010:177)NessusMandriva Local Security Checks
medium
49206Mandriva Linux Security Advisory : tomcat5 (MDVSA-2010:176)NessusMandriva Local Security Checks
medium
48757Ubuntu 9.04 / 9.10 / 10.04 LTS : tomcat6 vulnerability (USN-976-1)NessusUbuntu Local Security Checks
medium
48255Apache Tomcat 6.0 < 6.0.28 Multiple VulnerabilitiesNessusWeb Servers
medium
48231RHEL 5 : tomcat5 (RHSA-2010:0580)NessusRed Hat Local Security Checks
medium
48218CentOS 5 : tomcat5 (CESA-2010:0580)NessusCentOS Local Security Checks
medium
47749Apache Tomcat 5.5.x < 5.5.30NessusWeb Servers
medium