| VID |
22660 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
According to its self-reported version number, the instance of Apache Tomcat 6.0.x listening on the remote host is earlier than Tomcat 6.0.42 and, therefore, may be affected by a flaw in 'ChunkedInputFilter.java' due to improper handling of attempts to continue reading data after an error has occurred. A remote attacker, using streaming data with malformed chunked transfer coding, can exploit this to conduct HTTP request smuggling or cause a denial of service.
* Note: This check solely relied on the version number of the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://archives.neohapsis.com/archives/bugtraq/2015-02/0067.html
http://tomcat.apache.org/tomcat-6.0-doc/changelog.html
* Platforms Affected:
Apache Tomcat Server versions prior to 6.0.42
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Apache Tomcat Server (6.0.42 or later), available from the Apache Software Foundation download site, http://tomcat.apache.org/ |
| Related URL |
CVE-2014-0227 (CVE) |
| Related URL |
72717 (SecurityFocus) |
| Related URL |
(ISS) |
|
