Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2011-4858Improper Input Validation in Apache Tomcat

CWE-399CWE-20Improper Input Validation12 documents8 sources
Severity
5.0MEDIUMNVD
EPSS
76.6%
top 1.05%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Apache Tomcat
Timeline
PublishedJan 5
Latest updateMay 14

Description

Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

NVDapache/tomcat59 versions+58

🔴Vulnerability Details

4
GHSA
Improper Input Validation in Apache Tomcat2022-05-14
OSV
Improper Input Validation in Apache Tomcat2022-05-14
GHSA
Denial of Service in Apache Tomcat2022-05-04
CVEList
CVE-2011-4858: Apache Tomcat before 52012-01-05

💥Exploits & PoCs

2
Exploit-DB
PHP Hash Table Collision - Denial of Service (PoC)2012-01-03
Exploit-DB
MyBulletinBoard (MyBB) 1.1.5 - 'CLIENT-IP' SQL Injection2006-07-15

📋Vendor Advisories

3
Ubuntu
Tomcat vulnerabilities2012-02-13
Red Hat
tomcat: large number of parameters DoS2012-01-17
Red Hat
tomcat: hash table collisions CPU usage DoS (oCERT-2011-003)2011-12-28

💬Community

2
Bugzilla
CVE-2011-4858 tomcat: hash table collisions CPU usage DoS (oCERT-2011-003)2011-11-01
Bugzilla
CVE-2011-1575 pure-ftpd: command injection during plaintext to TLS session switch2011-03-08
CVE-2011-4858 — Improper Input Validation in Apache | cvebase