CVE-2012-0022

Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters and parameter values, a different vulnerability than CVE-2011-4858.

Published Bysecalert@redhat.com

Published DateJan 19, 2012, 04:01

Affected Versions(3)

org.apache.tomcat:tomcat(Maven)

Introduced5.5.0

Fixed5.5.35

LimitN/A

org.apache.tomcat:tomcat(Maven)

Introduced6.0.0

Fixed6.0.34

LimitN/A

org.apache.tomcat:tomcat(Maven)

Introduced7.0.0

Fixed7.0.23

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.apache.tomcat:tomcat(Maven)	5.5.0	5.5.35	N/A
org.apache.tomcat:tomcat(Maven)	6.0.0	6.0.34	N/A
org.apache.tomcat:tomcat(Maven)	7.0.0	7.0.23	N/A

Weakness Type (CWE):CWE-189

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:N/I:N/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

PARTIAL

References

Weakness Type (CWE):CWE-189

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:N/I:N/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

PARTIAL