CVE-2013-4444 — Code Injection in Apache Tomcat

CWE-94 — Code Injection14 documents7 sources

Severity

6.8MEDIUMNVD

EPSS

9.5%

top 7.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat

Timeline

PublishedSep 12

Latest updateMay 13

Description

Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages1 packages

▶NVDapache/tomcat7.0.39+34

Patches

Patch: tomcat.apache.org ↗Patch: tomcat.apache.org ↗

🔴Vulnerability Details

OSV

Apache Tomcat Unrestricted file upload vulnerability↗2022-05-13

▶

GHSA

Apache Tomcat Unrestricted file upload vulnerability↗2022-05-13

▶

CVEList

CVE-2013-4444: Unrestricted file upload vulnerability in Apache Tomcat 7↗2014-09-12

▶

OSV

CVE-2013-4444: Unrestricted file upload vulnerability in Apache Tomcat 7↗2014-09-12

▶

💥Exploits & PoCs

Exploit-DB

PCMan FTP Server 2.0.7 - 'RENAME' Remote Buffer Overflow↗2015-08-29

▶

Exploit-DB

PCMan FTP Server 2.0.7 - 'MKD' Remote Buffer Overflow↗2015-02-14

▶

Exploit-DB

PCMan FTP Server 2.07 - 'ABOR' Remote Buffer Overflow↗2014-01-29

▶

Exploit-DB

PCMan FTP Server 2.07 - 'CWD' Remote Buffer Overflow↗2014-01-29

▶

Exploit-DB

Craigslist Gold - SQL Injection↗2013-05-06

▶

📋Vendor Advisories

Red Hat

tomcat: remote code execution via uploaded JSP↗2014-09-10

▶

💬Community

Bugzilla

CVE-2013-4444 tomcat: remote code execution via uploaded JSP [epel-6]↗2014-09-10

▶

Bugzilla

CVE-2013-4444 tomcat: remote code execution via uploaded JSP↗2014-09-10

▶