Commons FileUpload Denial of service vulnerability

High severity GitHub Reviewed Published Dec 21, 2018 to the GitHub Advisory Database • Updated Mar 5, 2024

Package

commons-fileupload:commons-fileupload (Maven)

Affected versions

< 1.3.1

Patched versions

1.3.1

org.apache.tomcat:tomcat (Maven)

>= 8.0.0-RC1, <= 8.0.1

>= 7.0.0, <= 7.0.50

8.0.3

7.0.52

Description

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.

References

https://nvd.nist.gov/vuln/detail/CVE-2014-0050
https://bugzilla.redhat.com/show_bug.cgi?id=1062337
GHSA-xx68-jfcg-xmmf
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
http://advisories.mageia.org/MGASA-2014-0110.html
http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html
http://jvn.jp/en/jp/JVN14876762/index.html
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000017
http://mail-archives.apache.org/mod_mbox/commons-dev/201402.mbox/%3C52F373FC.9030907@apache.org%3E
http://marc.info/?l=bugtraq&m=143136844732487&w=2
http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html
http://rhn.redhat.com/errata/RHSA-2014-0252.html
http://rhn.redhat.com/errata/RHSA-2014-0253.html
http://rhn.redhat.com/errata/RHSA-2014-0400.html
http://seclists.org/fulldisclosure/2014/Dec/23
http://secunia.com/advisories/57915
http://secunia.com/advisories/58075
http://secunia.com/advisories/58976
http://secunia.com/advisories/59039
http://secunia.com/advisories/59041
http://secunia.com/advisories/59183
http://secunia.com/advisories/59184
http://secunia.com/advisories/59185
http://secunia.com/advisories/59187
http://secunia.com/advisories/59232
http://secunia.com/advisories/59399
http://secunia.com/advisories/59492
http://secunia.com/advisories/59500
http://secunia.com/advisories/59725
http://secunia.com/advisories/60475
http://secunia.com/advisories/60753
http://svn.apache.org/r1565143
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-8.html
http://www-01.ibm.com/support/docview.wss?uid=swg21669554
http://www-01.ibm.com/support/docview.wss?uid=swg21675432
http://www-01.ibm.com/support/docview.wss?uid=swg21676091
http://www-01.ibm.com/support/docview.wss?uid=swg21676092
http://www-01.ibm.com/support/docview.wss?uid=swg21676401
http://www-01.ibm.com/support/docview.wss?uid=swg21676403
http://www-01.ibm.com/support/docview.wss?uid=swg21676405
http://www-01.ibm.com/support/docview.wss?uid=swg21676410
http://www-01.ibm.com/support/docview.wss?uid=swg21676656
http://www-01.ibm.com/support/docview.wss?uid=swg21676853
http://www-01.ibm.com/support/docview.wss?uid=swg21677691
http://www-01.ibm.com/support/docview.wss?uid=swg21677724
http://www-01.ibm.com/support/docview.wss?uid=swg21681214
http://www.debian.org/security/2014/dsa-2856
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-015/index.html
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-016/index.html
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-017/index.html
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm
http://www.mandriva.com/security/advisories?name=MDVSA-2015:084
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
http://www.securityfocus.com/archive/1/532549/100/0/threaded
http://www.securityfocus.com/archive/1/534161/100/0/threaded
http://www.securityfocus.com/bid/65400
http://www.ubuntu.com/usn/USN-2130-1
http://www.vmware.com/security/advisories/VMSA-2014-0007.html
http://www.vmware.com/security/advisories/VMSA-2014-0008.html
http://www.vmware.com/security/advisories/VMSA-2014-0012.html
apache/tomcat@2938472
https://svn.apache.org/viewvc?view=revision&revision=1565143
https://svn.apache.org/viewvc?view=revision&revision=1565163
https://svn.apache.org/viewvc?view=revision&revision=1565169
https://tomcat.apache.org/security-7.html
https://tomcat.apache.org/security-8.html
apache/commons-fileupload@c61ff05

Published by the National Vulnerability Database

Apr 1, 2014

Published to the GitHub Advisory Database Dec 21, 2018

Reviewed Jun 16, 2020

Last updated Mar 5, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly