what you don't know can hurt you
Showing 1 - 22 of 22 RSS Feed

CVE-2013-4286

Status Candidate

Overview

Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.

Related Files

Debian Security Advisory 3530-1
Posted Mar 26, 2016
Authored by Debian | Site debian.org

Debian Linux Security Advisory 3530-1 - Multiple security vulnerabilities have been fixed in the Tomcat servlet and JSP engine, which may result on bypass of security manager restrictions, information disclosure, denial of service or session fixation.

tags | advisory, denial of service, vulnerability, info disclosure
systems | linux, debian
advisories | CVE-2013-4286, CVE-2013-4322, CVE-2013-4590, CVE-2014-0033, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119, CVE-2014-0227, CVE-2014-0230, CVE-2014-7810, CVE-2015-5174, CVE-2015-5345, CVE-2015-5346, CVE-2015-5351, CVE-2016-0706, CVE-2016-0714, CVE-2016-0763
MD5 | b3ff78c3cc3e2ba76e5dbd1283a387d3
HP Security Bulletin HPSBOV03503 1
Posted Oct 16, 2015
Authored by HP | Site hp.com

HP Security Bulletin HPSBOV03503 1 - Potential security vulnerabilities have been identified in HP OpenVMS CSWS_JAVA running Tomcat. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) and other impacts. Revision 1 of this advisory.

tags | advisory, denial of service, vulnerability
advisories | CVE-2013-4286, CVE-2013-4322, CVE-2013-4444, CVE-2013-4590, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119, CVE-2014-0230, CVE-2014-0277
MD5 | 6fe4f7a06015373b53986b43bfde1890
Mandriva Linux Security Advisory 2015-052
Posted Mar 3, 2015
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2015-052 - Apache Tomcat 7.x before 7.0.47, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via a Content-Length header and a Transfer-Encoding: chunked header. Apache Tomcat 7.x before 7.0.50 processes chunked transfer coding without properly handling a large total amount of chunked data or whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. Various otehr issues have also been addressed.

tags | advisory, java, remote, web, denial of service, overflow, arbitrary
systems | linux, mandriva
advisories | CVE-2013-4286, CVE-2013-4322, CVE-2013-4590, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119, CVE-2014-0227
MD5 | 12214eea7943a02a1491aec04cfda503
Gentoo Linux Security Advisory 201412-29
Posted Dec 15, 2014
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201412-29 - Multiple vulnerabilities have been found in Apache Tomcat, the worst of which may result in Denial of Service. Versions less than 7.0.56 are affected.

tags | advisory, denial of service, vulnerability
systems | linux, gentoo
advisories | CVE-2012-2733, CVE-2012-3544, CVE-2012-3546, CVE-2012-4431, CVE-2012-4534, CVE-2012-5885, CVE-2012-5886, CVE-2012-5887, CVE-2013-2067, CVE-2013-2071, CVE-2013-4286, CVE-2013-4322, CVE-2013-4590, CVE-2014-0033, CVE-2014-0050, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119
MD5 | 647b25de46b1c32b73686dc16ad0f07c
HP Security Bulletin HPSBUX03150 SSRT101681
Posted Oct 21, 2014
Authored by HP | Site hp.com

HP Security Bulletin HPSBUX03150 SSRT101681 - Potential security vulnerabilities have been identified with the HP-UX Apache Web Server Suite, Tomcat Servlet Engine, and PHP. These could be exploited remotely to create a Denial of Service (DoS) and other vulnerabilities. Revision 1 of this advisory.

tags | advisory, web, denial of service, php, vulnerability
systems | hpux
advisories | CVE-2013-4248, CVE-2013-4286, CVE-2013-6438, CVE-2014-0075, CVE-2014-0098, CVE-2014-0099, CVE-2014-3981
MD5 | 629793f0062e5ffce71d639497825420
Red Hat Security Advisory 2014-0686-01
Posted Jun 11, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0686-01 - Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was found that a fix for a previous security flaw introduced a regression that could cause a denial of service in Tomcat 7. A remote attacker could use this flaw to consume an excessive amount of CPU on the Tomcat server by sending a specially crafted request to that server. It was found that when Tomcat 7 processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting attacks, or obtain sensitive information from other requests.

tags | advisory, java, remote, web, denial of service, xss
systems | linux, redhat
advisories | CVE-2013-4286, CVE-2013-4322, CVE-2014-0186
MD5 | e4fc2d79cac229b25d62a472e66aad9f
Red Hat Security Advisory 2014-0527-01
Posted May 22, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0527-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. It was found that when Tomcat processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting attacks, or obtain sensitive information from other requests.

tags | advisory, java, remote, web, xss
systems | linux, redhat
advisories | CVE-2013-4286, CVE-2013-4322, CVE-2014-0050
MD5 | cbaf8e83b137d86f20c6279f7c8c6356
Red Hat Security Advisory 2014-0526-01
Posted May 22, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0526-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. It was found that when Tomcat processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting attacks, or obtain sensitive information from other requests.

tags | advisory, java, remote, web, xss
systems | linux, redhat
advisories | CVE-2013-4286, CVE-2013-4322, CVE-2014-0050
MD5 | 1559ab174347a91f1a513a117fb9d578
Red Hat Security Advisory 2014-0525-01
Posted May 22, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0525-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. It was found that when Tomcat processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting attacks, or obtain sensitive information from other requests.

tags | advisory, java, remote, web, xss
systems | linux, redhat
advisories | CVE-2013-4286, CVE-2013-4322, CVE-2014-0033, CVE-2014-0050
MD5 | 8ed8cd9a16ac7c4f47d24a9b73b30438
Red Hat Security Advisory 2014-0528-01
Posted May 22, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0528-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. It was found that when Tomcat processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting attacks, or obtain sensitive information from other requests.

tags | advisory, java, remote, web, xss
systems | linux, redhat
advisories | CVE-2013-4286, CVE-2013-4322, CVE-2014-0033, CVE-2014-0050
MD5 | 517003c76e4cbbd085ef86ec707475d3
Red Hat Security Advisory 2014-0511-01
Posted May 15, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0511-01 - Red Hat JBoss Operations Network is a middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services. Apache Struts is a framework for building web applications with Java. It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions.

tags | advisory, java, remote, web, code execution
systems | linux, redhat
advisories | CVE-2013-4286, CVE-2014-0114
MD5 | 0d3db40019777908c611112e3561a69a
Red Hat Security Advisory 2014-0458-01
Posted May 1, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0458-01 - Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems such as multiple databases, XML files, and even Hadoop systems appear as a set of tables in a local database. This roll up patch serves as a cumulative upgrade for Red Hat JBoss Data Virtualization 6.0.0. It includes various bug fixes, which are listed in the README file included with the patch files.

tags | advisory, local
systems | linux, redhat
advisories | CVE-2013-4286
MD5 | de079cea4cefe72a78e907aedb9560cf
Red Hat Security Advisory 2014-0459-01
Posted May 1, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0459-01 - Red Hat JBoss Fuse Service Works is the next-generation ESB and business process automation infrastructure. Red Hat JBoss Fuse Service Works allows IT to leverage existing, modern, and future integration methodologies to dramatically improve business process execution speed and quality. This roll up patch serves as a cumulative upgrade for Red Hat JBoss Fuse Service Works 6.0.0. It includes various bug fixes, which are listed in the README file included with the patch files.

tags | advisory
systems | linux, redhat
advisories | CVE-2013-4286, CVE-2014-0002, CVE-2014-0003, CVE-2014-0050
MD5 | d8912b1ad15b3994b0fe3721987d517e
Red Hat Security Advisory 2014-0429-01
Posted Apr 23, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0429-01 - Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was found that when Tomcat processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting attacks, or obtain sensitive information from other requests. It was discovered that the fix for CVE-2012-3544 did not properly resolve a denial of service flaw in the way Tomcat processed chunk extensions and trailing headers in chunked requests. A remote attacker could use this flaw to send an excessively long request that, when processed by Tomcat, could consume network bandwidth, CPU, and memory on the Tomcat server. Note that chunked transfer encoding is enabled by default.

tags | advisory, java, remote, web, denial of service, xss
systems | linux, redhat
advisories | CVE-2013-4286, CVE-2013-4322, CVE-2014-0050
MD5 | 4a1e295c7bb9afd1b67d2172a41ebc0b
Debian Security Advisory 2897-1
Posted Apr 8, 2014
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2897-1 - Multiple security issues were found in the Tomcat servlet and JSP engine.

tags | advisory
systems | linux, debian
advisories | CVE-2013-2067, CVE-2013-2071, CVE-2013-4286, CVE-2013-4322, CVE-2014-0050
MD5 | 8e701e5bd7e02ad835906127a793048a
Red Hat Security Advisory 2014-0374-01
Posted Apr 3, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0374-01 - Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan. This release of Red Hat JBoss Data Grid 6.2.1 serves as a replacement for Red Hat JBoss Data Grid 6.2.0. It includes various bug fixes and enhancements which are detailed in the Red Hat JBoss Data Grid 6.2.1 Release Notes.

tags | advisory
systems | linux, redhat
advisories | CVE-2013-4286, CVE-2013-7285
MD5 | a29377010208bc9b22c479ed22606b8b
Red Hat Security Advisory 2014-0373-01
Posted Apr 3, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0373-01 - JBoss Web Server is an enterprise ready web server designed for medium and large applications, and is based on Tomcat. JBoss Web Server provides organizations with a single deployment platform for Java Server Pages and Java Servlet technologies, PHP, and CGI. It uses a genuine high performance hybrid technology that incorporates the best of the most recent OS technologies for processing high volume data, while keeping all the reference Java specifications. Apache Commons FileUpload package makes it easy to add robust, high-performance, file upload capability to servlets and web applications.

tags | advisory, java, web, cgi, php, file upload
systems | linux, redhat
advisories | CVE-2013-4286, CVE-2014-0050
MD5 | a9efdc53a6f8acc17a2647204d97dd66
Red Hat Security Advisory 2014-0344-01
Posted Mar 31, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0344-01 - Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that when JBoss Web processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, JBoss Web would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting attacks, or obtain sensitive information from other requests.

tags | advisory, java, remote, web, xss
systems | linux, redhat
advisories | CVE-2013-4286, CVE-2014-0093
MD5 | 479dce0d3d5922d77ef759aff60a2f1b
Red Hat Security Advisory 2014-0345-01
Posted Mar 31, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0345-01 - Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that when JBoss Web processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, JBoss Web would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting attacks, or obtain sensitive information from other requests.

tags | advisory, java, remote, web, xss
systems | linux, redhat
advisories | CVE-2013-4286, CVE-2014-0093
MD5 | 95308a7a6883db8786f3ac4ad62d4a22
Red Hat Security Advisory 2014-0343-01
Posted Mar 31, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0343-01 - Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that when JBoss Web processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, JBoss Web would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting attacks, or obtain sensitive information from other requests.

tags | advisory, java, remote, web, xss
systems | linux, redhat
advisories | CVE-2013-4286, CVE-2014-0093
MD5 | 09e6384db464688ea9f897333bfcbfa5
Ubuntu Security Notice USN-2130-1
Posted Mar 6, 2014
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2130-1 - It was discovered that Tomcat incorrectly handled certain inconsistent HTTP headers. A remote attacker could possibly use this flaw to conduct request smuggling attacks. It was discovered that Tomcat incorrectly handled certain requests submitted using chunked transfer encoding. A remote attacker could use this flaw to cause the Tomcat server to stop responding, resulting in a denial of service. Various other issues were also addressed.

tags | advisory, remote, web, denial of service
systems | linux, ubuntu
advisories | CVE-2013-4286, CVE-2013-4322, CVE-2014-0033, CVE-2014-0050, CVE-2013-4286, CVE-2013-4322, CVE-2014-0033, CVE-2014-0050
MD5 | c3426739b24f0d8b9697ba017eea7d05
Apache Tomcat Information Disclosure
Posted Feb 25, 2014
Authored by Mark Thomas | Site tomcat.apache.org

Apache Tomcat versions 8.0.0-RC1, 7.0.0 through 7.0.42, and 6.0.0 through 6.0.37 suffer from an information disclosure vulnerability due to an incomplete fix for CVE-2005-2090.

tags | advisory, info disclosure
advisories | CVE-2005-2090, CVE-2013-4286
MD5 | ae23ddedd56b3c796ffd54760386c25e
Page 1 of 1
Back1Next

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    5 Files
  • 21
    Apr 21st
    1 Files
  • 22
    Apr 22nd
    10 Files
  • 23
    Apr 23rd
    22 Files
  • 24
    Apr 24th
    11 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close