Vulnerability Description
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Oracle | Retail Applications | 12.0 |
| Apache | Commons Fileupload | <= 1.3 |
| Apache | Tomcat | 7.0.0 |
Related Weaknesses (CWE)
References
- http://advisories.mageia.org/MGASA-2014-0110.html
- http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-wExploit
- http://jvn.jp/en/jp/JVN14876762/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2014-000017
- http://mail-archives.apache.org/mod_mbox/commons-dev/201402.mbox/%3C52F373FC.903
- http://marc.info/?l=bugtraq&m=143136844732487&w=2
- http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.h
- http://rhn.redhat.com/errata/RHSA-2014-0252.html
- http://rhn.redhat.com/errata/RHSA-2014-0253.html
- http://rhn.redhat.com/errata/RHSA-2014-0400.html
- http://seclists.org/fulldisclosure/2014/Dec/23
- http://secunia.com/advisories/57915
- http://secunia.com/advisories/58075
- http://secunia.com/advisories/58976
- http://secunia.com/advisories/59039
FAQ
What is CVE-2014-0050?
CVE-2014-0050 is a vulnerability with a CVSS score of 7.5 (HIGH). MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU con...
How severe is CVE-2014-0050?
CVE-2014-0050 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-0050?
Check the references section above for vendor advisories and patch information. Affected products include: Oracle Retail Applications, Apache Commons Fileupload, Apache Tomcat.