Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2014-0050

CWE-264 CWE-20 — Improper Input Validation15 documents11 sources

Severity

7.5HIGH

EPSS

92.7%

top 0.25%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Apache Commons Fileupload Apache Tomcat Oracle Retail Applications

Timeline

PublishedApr 1

Latest updateDec 21

Description

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages6 packages

▶NVDapache/commons_fileupload1.3+6

▶Mavenorg.apache.tomcat:tomcat8.0.0-RC1 — 8.0.3+1

▶Debianlibcommons-fileupload-java< 1.3.1-1+3

▶NVDapache/tomcat53 versions+52

▶Mavencommons-fileupload:commons-fileupload< 1.3.1

Patches

Patch: svn.apache.org ↗Patch: tomcat.apache.org ↗Patch: tomcat.apache.org ↗

🔴Vulnerability Details

GHSA

Commons FileUpload Denial of service vulnerability↗2018-12-21

▶

OSV

Commons FileUpload Denial of service vulnerability↗2018-12-21

▶

OSV

CVE-2014-0050: MultipartStream↗2014-04-01

▶

CVEList

CVE-2014-0050: MultipartStream↗2014-03-28

▶

💥Exploits & PoCs

Exploit-DB

Apache Commons FileUpload and Apache Tomcat - Denial of Service↗2014-02-12

▶

🔍Detection Rules

Suricata

ET WEB_SERVER Apache Tomcat Boundary Overflow DOS/File Upload Attempt↗2014-02-12

▶

📋Vendor Advisories

Ubuntu

Tomcat vulnerabilities↗2014-03-06

▶

Red Hat

apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream↗2014-02-06

▶

Debian

CVE-2014-0050: libcommons-fileupload-java - MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apach...↗2014

▶

Apache

Apache tomcat: CVE-2014-0050↗

▶

💬Community

Bugzilla

Upgrade apache-commons-fileupload to 1.3.1 to address CVE-2014-0050↗2014-03-19

▶

Bugzilla

CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small buffer size used bt MultipartStream [fedora-all]↗2014-02-13

▶

Bugzilla

CVE-2014-0050 tomcat: apache-commons-fileupload: denial of service due to too-small buffer size used bt MultipartStream [fedora-all]↗2014-02-13

▶

Bugzilla

CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream↗2014-02-06

▶