CVE-2014-0050: Commons FileUpload Denial of service vulnerability

December 21, 2018 (updated September 29, 2023)

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop’s intended exit conditions.

References

advisories.mageia.org/MGASA-2014-0110.html
blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html
jvn.jp/en/jp/JVN14876762/index.html
jvndb.jvn.jp/jvndb/JVNDB-2014-000017
mail-archives.apache.org/mod_mbox/commons-dev/201402.mbox/%3C52F373FC.9030907@apache.org%3E
marc.info/?l=bugtraq&m=143136844732487&w=2
packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html
rhn.redhat.com/errata/RHSA-2014-0252.html
rhn.redhat.com/errata/RHSA-2014-0253.html
rhn.redhat.com/errata/RHSA-2014-0400.html
seclists.org/fulldisclosure/2014/Dec/23
secunia.com/advisories/57915
secunia.com/advisories/58075
secunia.com/advisories/58976
secunia.com/advisories/59039
secunia.com/advisories/59041
secunia.com/advisories/59183
secunia.com/advisories/59184
secunia.com/advisories/59185
secunia.com/advisories/59187
secunia.com/advisories/59232
secunia.com/advisories/59399
secunia.com/advisories/59492
secunia.com/advisories/59500
secunia.com/advisories/59725
secunia.com/advisories/60475
secunia.com/advisories/60753
svn.apache.org/r1565143
tomcat.apache.org/security-7.html
tomcat.apache.org/security-8.html
www-01.ibm.com/support/docview.wss?uid=swg21669554
www-01.ibm.com/support/docview.wss?uid=swg21675432
www-01.ibm.com/support/docview.wss?uid=swg21676091
www-01.ibm.com/support/docview.wss?uid=swg21676092
www-01.ibm.com/support/docview.wss?uid=swg21676401
www-01.ibm.com/support/docview.wss?uid=swg21676403
www-01.ibm.com/support/docview.wss?uid=swg21676405
www-01.ibm.com/support/docview.wss?uid=swg21676410
www-01.ibm.com/support/docview.wss?uid=swg21676656
www-01.ibm.com/support/docview.wss?uid=swg21676853
www-01.ibm.com/support/docview.wss?uid=swg21677691
www-01.ibm.com/support/docview.wss?uid=swg21677724
www-01.ibm.com/support/docview.wss?uid=swg21681214
www.debian.org/security/2014/dsa-2856
www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-015/index.html
www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-016/index.html
www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-017/index.html
www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm
www.mandriva.com/security/advisories?name=MDVSA-2015:084
www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
www.securityfocus.com/archive/1/532549/100/0/threaded
www.securityfocus.com/archive/1/534161/100/0/threaded
www.securityfocus.com/bid/65400
www.ubuntu.com/usn/USN-2130-1
www.vmware.com/security/advisories/VMSA-2014-0007.html
www.vmware.com/security/advisories/VMSA-2014-0008.html
www.vmware.com/security/advisories/VMSA-2014-0012.html
bugzilla.redhat.com/show_bug.cgi?id=1062337
github.com/advisories/GHSA-xx68-jfcg-xmmf
github.com/apache/tomcat/commit/29384723d8d9645b87e05be9fa369a4deeb78b9c
h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917
h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
nvd.nist.gov/vuln/detail/CVE-2014-0050
svn.apache.org/viewvc?view=revision&revision=1565143
svn.apache.org/viewvc?view=revision&revision=1565163
svn.apache.org/viewvc?view=revision&revision=1565169
tomcat.apache.org/security-7.html
tomcat.apache.org/security-8.html

Detect and mitigate CVE-2014-0050 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →