ICEfaces
  1. ICEfaces
  2. ICE-10023

Fix CVE-2014-0050 DoS with malformed Content-Type header and multipart request processing

    Details

    • Assignee Priority:
      P1

      Description

      ICEfaces FileEntry makes use of an embedded copy of commons-fileupload, so is vulnerable to the following:

      MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.

      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050

        Issue Links

          Activity

          Hide
          Ted Goddard added a comment - - edited
          Show
          Ted Goddard added a comment - - edited Two small changes to fileupload/MultipartStream.java and fileupload/FileUploadBase.java: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java?r1=1561650&r2=1565169&pathrev=1565169&diff_format=h http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java?r1=1561650&r2=1565169&pathrev=1565169&diff_format=h Checkin comment: "Fix CVE-2014-0050 DoS with malformed Content-Type header and multipart request processing."
          Hide
          Mircea Toma added a comment -

          Applied patches to guard against denial of service attacks.

          Show
          Mircea Toma added a comment - Applied patches to guard against denial of service attacks.

            People

            • Assignee:
              Mircea Toma
              Reporter:
              Ted Goddard
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: