PT-2013-4936 · Apache+3 · Apache Tomcat+3

Vincent Danen

Publicado

2013-09-23

Atualizado

2022-05-14

CVE-2013-4286

CVSS v2.0

5.8

Média

Vetor

AV:N/AC:M/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions prior to 6.0.39 Apache Tomcat versions prior to 7.0.47 Apache Tomcat versions prior to 8.0.0-RC3

Description The issue arises from the improper handling of certain inconsistent HTTP request headers when an HTTP connector or AJP connector is used. This allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via multiple Content-Length headers or a Content-Length header and a "Transfer-Encoding: chunked" header.

Recommendations For Apache Tomcat versions prior to 6.0.39, update to version 6.0.39 or later. For Apache Tomcat versions prior to 7.0.47, update to version 7.0.47 or later. For Apache Tomcat versions prior to 8.0.0-RC3, update to version 8.0.0-RC3 or later.

Correção

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20

Identificadores relacionados

CESA-2014_0429

CVE-2013-4286

DLA-91-1

DSA-2897-1

DSA-3530-1

GHSA-J448-J653-R3VJ

HPSBUX03150

MGASA-2014-0148

MGASA-2014-0149

RHSA-2014:0343

RHSA-2014:0344

RHSA-2014:0429

RHSA-2014:0525

RHSA-2014:0526

RHSA-2014:0686

RHSA-2014_0429

RHSA-2014_0686

USN-2130-1

Produtos afetados

Apache Tomcat

Centos

Hp-Ux

Red Hat

PT-2013-4936 · Apache+3 · Apache Tomcat+3

CVE-2013-4286

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 89