CVE-2014-0095 — Improper Input Validation in Apache Tomcat

CWE-20 — Improper Input Validation CWE-130 — Improper Handling of Length Parameter Inconsistency CWE-835 — Infinite Loop7 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

9.7%

top 7.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat

Timeline

PublishedMay 31

Latest updateMay 17

Description

java/org/apache/coyote/ajp/AbstractAjpProcessor.java in Apache Tomcat 8.x before 8.0.4 allows remote attackers to cause a denial of service (thread consumption) by using a "Content-Length: 0" AJP request to trigger a hang in request processing.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

▶NVDapache/tomcat8.0.0, 8.0.1, 8.0.3+2

Patches

Patch: svn.apache.org ↗Patch: svn.apache.org ↗

🔴Vulnerability Details

OSV

Denial of service in Apache Tomcat↗2022-05-17

▶

GHSA

Denial of service in Apache Tomcat↗2022-05-17

▶

CVEList

CVE-2014-0095: java/org/apache/coyote/ajp/AbstractAjpProcessor↗2014-05-31

▶

📋Vendor Advisories

Red Hat

8: Denial of service via AJP requests with content length zero↗2014-05-30

▶

Apache

Apache tomcat: CVE-2014-0095↗

▶

💬Community

Bugzilla

CVE-2014-0095 Apache Tomcat 8: Denial of service via AJP requests with content length zero↗2014-06-02

▶