CVE-2013-4322

MEDIUM
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544.

References

http://advisories.mageia.org/MGASA-2014-0148.html

http://marc.info/?l=bugtraq&m=144498216801440&w=2

http://seclists.org/fulldisclosure/2014/Dec/23

http://secunia.com/advisories/59036

http://secunia.com/advisories/59675

http://secunia.com/advisories/59722

http://secunia.com/advisories/59724

http://secunia.com/advisories/59873

http://svn.apache.org/viewvc?view=revision&revision=1521834

http://svn.apache.org/viewvc?view=revision&revision=1521864

http://svn.apache.org/viewvc?view=revision&revision=1549522

http://svn.apache.org/viewvc?view=revision&revision=1549523

http://svn.apache.org/viewvc?view=revision&revision=1556540

http://tomcat.apache.org/security-6.html

http://tomcat.apache.org/security-7.html

http://tomcat.apache.org/security-8.html

http://www.debian.org/security/2016/dsa-3530

http://www.mandriva.com/security/advisories?name=MDVSA-2015:052

http://www.mandriva.com/security/advisories?name=MDVSA-2015:084

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

http://www.securityfocus.com/archive/1/534161/100/0/threaded

http://www.securityfocus.com/bid/65767

http://www.ubuntu.com/usn/USN-2130-1

http://www.vmware.com/security/advisories/VMSA-2014-0008.html

http://www.vmware.com/security/advisories/VMSA-2014-0012.html

http://www-01.ibm.com/support/docview.wss?uid=swg21667883

http://www-01.ibm.com/support/docview.wss?uid=swg21675886

http://www-01.ibm.com/support/docview.wss?uid=swg21677147

http://www-01.ibm.com/support/docview.wss?uid=swg21678113

http://www-01.ibm.com/support/docview.wss?uid=swg21678231

https://bugzilla.redhat.com/show_bug.cgi?id=1069905

https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://rhn.redhat.com/errata/RHSA-2014-0686.html

Details

Source: MITRE

Published: 2014-02-26

Updated: 2019-04-15

Type: CWE-20

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:apache:tomcat:1.1.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:3.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:3.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:3.1.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:3.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:3.2.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:3.2.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:3.2.2:beta2:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:3.2.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:3.2.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:3.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:3.3.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:3.3.1a:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:3.3.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.0.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.0.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.0.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.0.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.0.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.0.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.0.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.3:beta:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.9:beta:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.15:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.24:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.28:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.29:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.31:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.36:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.13:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.14:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.15:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.16:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.17:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.18:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.19:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.21:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.22:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.23:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.24:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.25:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.26:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.27:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.28:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.29:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.30:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.25:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.26:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.27:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.28:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.29:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.30:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.31:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.32:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.33:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.34:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.35:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.0:alpha:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.1:alpha:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.2:alpha:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.2:beta:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.31:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.32:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.33:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.35:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:6.0.36:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* versions up to 6.0.37 (inclusive)

Configuration 3

OR

cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.0:rc3:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.0:rc4:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.0:rc6:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.0:rc7:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.0:rc8:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:8.0.0:rc9:*:*:*:*:*:*

Tenable Plugins

View all (26 total)

IDNameProductFamilySeverity
121122Apache Tomcat < 8.0.0-RC10 Multiple VulnerabilitiesNessusWeb Servers
low
90205Debian DSA-3530-1 : tomcat6 - security updateNessusDebian Local Security Checks
high
84401IBM Storwize 1.3.x < 1.4.3.4 / 1.5.x < 1.5.0.2 Multiple VulnerabilitiesNessusMisc.
high
82337Mandriva Linux Security Advisory : tomcat (MDVSA-2015:084)NessusMandriva Local Security Checks
medium
81935Mandriva Linux Security Advisory : tomcat (MDVSA-2015:052)NessusMandriva Local Security Checks
medium
80793Oracle Solaris Third-Party Patch Update : tomcat (multiple_vulnerabilities_in_apache_tomcat4)NessusSolaris Local Security Checks
medium
79982GLSA-201412-29 : Apache Tomcat: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
78287Amazon Linux AMI : tomcat6 (ALAS-2014-344)NessusAmazon Linux Local Security Checks
high
77928Fedora 20 : tomcat-7.0.52-1.fc20 (2014-11048)NessusFedora Local Security Checks
medium
77728VMware Security Updates for vCenter Server (VMSA-2014-0008)NessusMisc.
critical
77630VMSA-2014-0008 : VMware vSphere product updates to third-party librariesNessusVMware ESX Local Security Checks
high
77197SuSE 11.3 Security Update : tomcat6 (SAT Patch Number 9487)NessusSuSE Local Security Checks
medium
76895RHEL 7 : tomcat (RHSA-2014:0686)NessusRed Hat Local Security Checks
medium
76733Oracle Linux 7 : tomcat (ELSA-2014-0686)NessusOracle Linux Local Security Checks
medium
76450Scientific Linux Security Update : tomcat6 on SL6.x i386/srpm/x86_64 (20140709)NessusScientific Linux Local Security Checks
high
76241RHEL 5 / 6 : JBoss Web Server (RHSA-2014:0526)NessusRed Hat Local Security Checks
high
76240RHEL 5 / 6 : JBoss Web Server (RHSA-2014:0525)NessusRed Hat Local Security Checks
high
73679Scientific Linux Security Update : tomcat6 on SL6.x (noarch) (20140423)NessusScientific Linux Local Security Checks
high
73678RHEL 6 : tomcat6 (RHSA-2014:0429)NessusRed Hat Local Security Checks
high
73677Oracle Linux 6 : tomcat6 (ELSA-2014-0429)NessusOracle Linux Local Security Checks
high
73675CentOS 6 : tomcat6 (CESA-2014:0429)NessusCentOS Local Security Checks
high
73421Debian DSA-2897-1 : tomcat7 - security updateNessusDebian Local Security Checks
high
72874Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : tomcat6, tomcat7 vulnerabilities (USN-2130-1)NessusUbuntu Local Security Checks
high
8141Apache Tomcat 6.0.x < 6.0.39 Multiple VulnerabilitiesNessus Network MonitorWeb Servers
medium
72691Apache Tomcat 7.0.x < 7.0.50 Multiple VulnerabilitiesNessusWeb Servers
medium
72690Apache Tomcat 6.0.x < 6.0.39 Multiple VulnerabilitiesNessusWeb Servers
medium