CVE-2014-0050

EUVD-2018-0825
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
Affected Products (NVD)
VendorProductVersion
oracleretail_applications
12.0
oracleretail_applications
12.0in:in
oracleretail_applications
13.0
oracleretail_applications
13.1
oracleretail_applications
13.2
oracleretail_applications
13.3
oracleretail_applications
13.4
oracleretail_applications
14.0
apachecommons_fileupload
𝑥
≤ 1.3
apachecommons_fileupload
1.0
apachecommons_fileupload
1.1
apachecommons_fileupload
1.1.1
apachecommons_fileupload
1.2
apachecommons_fileupload
1.2.1
apachecommons_fileupload
1.2.2
apachetomcat
7.0.0
apachetomcat
7.0.0:beta
apachetomcat
7.0.1
apachetomcat
7.0.2
apachetomcat
7.0.2:beta
apachetomcat
7.0.3
apachetomcat
7.0.4
apachetomcat
7.0.4:beta
apachetomcat
7.0.5
apachetomcat
7.0.6
apachetomcat
7.0.7
apachetomcat
7.0.8
apachetomcat
7.0.9
apachetomcat
7.0.10
apachetomcat
7.0.11
apachetomcat
7.0.12
apachetomcat
7.0.13
apachetomcat
7.0.14
apachetomcat
7.0.15
apachetomcat
7.0.16
apachetomcat
7.0.17
apachetomcat
7.0.18
apachetomcat
7.0.19
apachetomcat
7.0.20
apachetomcat
7.0.21
apachetomcat
7.0.22
apachetomcat
7.0.23
apachetomcat
7.0.24
apachetomcat
7.0.25
apachetomcat
7.0.26
apachetomcat
7.0.27
apachetomcat
7.0.28
apachetomcat
7.0.29
apachetomcat
7.0.30
apachetomcat
7.0.31
apachetomcat
7.0.32
apachetomcat
7.0.33
apachetomcat
7.0.34
apachetomcat
7.0.35
apachetomcat
7.0.36
apachetomcat
7.0.37
apachetomcat
7.0.38
apachetomcat
7.0.39
apachetomcat
7.0.40
apachetomcat
7.0.41
apachetomcat
7.0.42
apachetomcat
7.0.43
apachetomcat
7.0.44
apachetomcat
7.0.45
apachetomcat
7.0.46
apachetomcat
7.0.47
apachetomcat
7.0.48
apachetomcat
7.0.49
apachetomcat
7.0.50
apachetomcat
8.0.0:rc1
apachetomcat
8.0.0:rc10
apachetomcat
8.0.0:rc2
apachetomcat
8.0.0:rc5
apachetomcat
8.0.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libcommons-fileupload-java
bookworm
1.4-2
fixed
bullseye
1.4-1
fixed
sid
1.5-1
fixed
trixie
1.5-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libcommons-fileupload-java
artful
not-affected
bionic
not-affected
cosmic
not-affected
disco
not-affected
lucid
ignored
precise
ignored
quantal
ignored
saucy
ignored
trusty
dne
utopic
ignored
vivid
not-affected
wily
not-affected
xenial
not-affected
yakkety
not-affected
zesty
not-affected
tomcat6
artful
dne
bionic
dne
cosmic
dne
disco
dne
lucid
not-affected
precise
not-affected
quantal
not-affected
saucy
not-affected
trusty
not-affected
utopic
not-affected
vivid
not-affected
wily
not-affected
xenial
not-affected
yakkety
dne
zesty
dne
tomcat7
artful
not-affected
bionic
not-affected
cosmic
not-affected
disco
dne
lucid
dne
precise
ignored
quantal
Fixed 7.0.30-0ubuntu1.3
released
saucy
Fixed 7.0.42-1ubuntu0.1
released
trusty
not-affected
utopic
not-affected
vivid
not-affected
wily
not-affected
xenial
not-affected
yakkety
not-affected
zesty
not-affected
Common Weakness Enumeration
References
http://advisories.mageia.org/MGASA-2014-0110.html
http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html
http://jvn.jp/en/jp/JVN14876762/index.html
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000017
http://mail-archives.apache.org/mod_mbox/commons-dev/201402.mbox/%3C52F373FC.9030907%40apache.org%3E
http://marc.info/?l=bugtraq&m=143136844732487&w=2
http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html
http://rhn.redhat.com/errata/RHSA-2014-0252.html
http://rhn.redhat.com/errata/RHSA-2014-0253.html
http://rhn.redhat.com/errata/RHSA-2014-0400.html
http://seclists.org/fulldisclosure/2014/Dec/23
http://secunia.com/advisories/57915
http://secunia.com/advisories/58075
http://secunia.com/advisories/58976
http://secunia.com/advisories/59039
http://secunia.com/advisories/59041
http://secunia.com/advisories/59183
http://secunia.com/advisories/59184
http://secunia.com/advisories/59185
http://secunia.com/advisories/59187
http://secunia.com/advisories/59232
http://secunia.com/advisories/59399
http://secunia.com/advisories/59492
http://secunia.com/advisories/59500
http://secunia.com/advisories/59725
http://secunia.com/advisories/60475
http://secunia.com/advisories/60753
http://svn.apache.org/r1565143
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-8.html
http://www-01.ibm.com/support/docview.wss?uid=swg21669554
http://www-01.ibm.com/support/docview.wss?uid=swg21675432
http://www-01.ibm.com/support/docview.wss?uid=swg21676091
http://www-01.ibm.com/support/docview.wss?uid=swg21676092
http://www-01.ibm.com/support/docview.wss?uid=swg21676401
http://www-01.ibm.com/support/docview.wss?uid=swg21676403
http://www-01.ibm.com/support/docview.wss?uid=swg21676405
http://www-01.ibm.com/support/docview.wss?uid=swg21676410
http://www-01.ibm.com/support/docview.wss?uid=swg21676656
http://www-01.ibm.com/support/docview.wss?uid=swg21676853
http://www-01.ibm.com/support/docview.wss?uid=swg21677691
http://www-01.ibm.com/support/docview.wss?uid=swg21677724
http://www-01.ibm.com/support/docview.wss?uid=swg21681214
http://www.debian.org/security/2014/dsa-2856
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-015/index.html
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-016/index.html
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-017/index.html
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm
http://www.mandriva.com/security/advisories?name=MDVSA-2015:084
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
http://www.securityfocus.com/archive/1/532549/100/0/threaded
http://www.securityfocus.com/archive/1/534161/100/0/threaded
http://www.securityfocus.com/bid/65400
http://www.ubuntu.com/usn/USN-2130-1
http://www.vmware.com/security/advisories/VMSA-2014-0007.html
http://www.vmware.com/security/advisories/VMSA-2014-0008.html
http://www.vmware.com/security/advisories/VMSA-2014-0012.html
https://bugzilla.redhat.com/show_bug.cgi?id=1062337
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
https://security.gentoo.org/glsa/202107-39
http://advisories.mageia.org/MGASA-2014-0110.html
http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html
http://jvn.jp/en/jp/JVN14876762/index.html
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000017
http://mail-archives.apache.org/mod_mbox/commons-dev/201402.mbox/%3C52F373FC.9030907%40apache.org%3E
http://marc.info/?l=bugtraq&m=143136844732487&w=2
http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html
http://rhn.redhat.com/errata/RHSA-2014-0252.html
http://rhn.redhat.com/errata/RHSA-2014-0253.html
http://rhn.redhat.com/errata/RHSA-2014-0400.html
http://seclists.org/fulldisclosure/2014/Dec/23
http://secunia.com/advisories/57915
http://secunia.com/advisories/58075
http://secunia.com/advisories/58976
http://secunia.com/advisories/59039
http://secunia.com/advisories/59041
http://secunia.com/advisories/59183
http://secunia.com/advisories/59184
http://secunia.com/advisories/59185
http://secunia.com/advisories/59187
http://secunia.com/advisories/59232
http://secunia.com/advisories/59399
http://secunia.com/advisories/59492
http://secunia.com/advisories/59500
http://secunia.com/advisories/59725
http://secunia.com/advisories/60475
http://secunia.com/advisories/60753
http://svn.apache.org/r1565143
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-8.html
http://www-01.ibm.com/support/docview.wss?uid=swg21669554
http://www-01.ibm.com/support/docview.wss?uid=swg21675432
http://www-01.ibm.com/support/docview.wss?uid=swg21676091
http://www-01.ibm.com/support/docview.wss?uid=swg21676092
http://www-01.ibm.com/support/docview.wss?uid=swg21676401
http://www-01.ibm.com/support/docview.wss?uid=swg21676403
http://www-01.ibm.com/support/docview.wss?uid=swg21676405
http://www-01.ibm.com/support/docview.wss?uid=swg21676410
http://www-01.ibm.com/support/docview.wss?uid=swg21676656
http://www-01.ibm.com/support/docview.wss?uid=swg21676853
http://www-01.ibm.com/support/docview.wss?uid=swg21677691
http://www-01.ibm.com/support/docview.wss?uid=swg21677724
http://www-01.ibm.com/support/docview.wss?uid=swg21681214
http://www.debian.org/security/2014/dsa-2856
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-015/index.html
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-016/index.html
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-017/index.html
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm
http://www.mandriva.com/security/advisories?name=MDVSA-2015:084
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
http://www.securityfocus.com/archive/1/532549/100/0/threaded
http://www.securityfocus.com/archive/1/534161/100/0/threaded
http://www.securityfocus.com/bid/65400
http://www.ubuntu.com/usn/USN-2130-1
http://www.vmware.com/security/advisories/VMSA-2014-0007.html
http://www.vmware.com/security/advisories/VMSA-2014-0008.html
http://www.vmware.com/security/advisories/VMSA-2014-0012.html
https://bugzilla.redhat.com/show_bug.cgi?id=1062337
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
https://security.gentoo.org/glsa/202107-39