CVE-2014-0050

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2014-0050
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2014-04-01 06:27:00 UTC
Updated2023-11-07 02:18:00 UTC
DescriptionMultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.

Risk And Classification

Problem Types: CWE-264

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Apache Commons Fileupload 1.0 All All All
Application Apache Commons Fileupload 1.1 All All All
Application Apache Commons Fileupload 1.1.1 All All All
Application Apache Commons Fileupload 1.2 All All All
Application Apache Commons Fileupload 1.2.1 All All All
Application Apache Commons Fileupload 1.2.2 All All All
Application Apache Commons Fileupload 1.0 All All All
Application Apache Commons Fileupload 1.1 All All All
Application Apache Commons Fileupload 1.1.1 All All All
Application Apache Commons Fileupload 1.2 All All All
Application Apache Commons Fileupload 1.2.1 All All All
Application Apache Commons Fileupload 1.2.2 All All All
Application Apache Commons Fileupload All All All All
Application Apache Tomcat 7.0.0 All All All
Application Apache Tomcat 7.0.0 beta All All
Application Apache Tomcat 7.0.1 All All All
Application Apache Tomcat 7.0.10 All All All
Application Apache Tomcat 7.0.11 All All All
Application Apache Tomcat 7.0.12 All All All
Application Apache Tomcat 7.0.13 All All All
Application Apache Tomcat 7.0.14 All All All
Application Apache Tomcat 7.0.15 All All All
Application Apache Tomcat 7.0.16 All All All
Application Apache Tomcat 7.0.17 All All All
Application Apache Tomcat 7.0.18 All All All
Application Apache Tomcat 7.0.19 All All All
Application Apache Tomcat 7.0.2 All All All
Application Apache Tomcat 7.0.2 beta All All
Application Apache Tomcat 7.0.20 All All All
Application Apache Tomcat 7.0.21 All All All
Application Apache Tomcat 7.0.22 All All All
Application Apache Tomcat 7.0.23 All All All
Application Apache Tomcat 7.0.24 All All All
Application Apache Tomcat 7.0.25 All All All
Application Apache Tomcat 7.0.26 All All All
Application Apache Tomcat 7.0.27 All All All
Application Apache Tomcat 7.0.28 All All All
Application Apache Tomcat 7.0.29 All All All
Application Apache Tomcat 7.0.3 All All All
Application Apache Tomcat 7.0.30 All All All
Application Apache Tomcat 7.0.31 All All All
Application Apache Tomcat 7.0.32 All All All
Application Apache Tomcat 7.0.33 All All All
Application Apache Tomcat 7.0.34 All All All
Application Apache Tomcat 7.0.35 All All All
Application Apache Tomcat 7.0.36 All All All
Application Apache Tomcat 7.0.37 All All All
Application Apache Tomcat 7.0.38 All All All
Application Apache Tomcat 7.0.39 All All All
Application Apache Tomcat 7.0.4 All All All
Application Apache Tomcat 7.0.4 beta All All
Application Apache Tomcat 7.0.40 All All All
Application Apache Tomcat 7.0.41 All All All
Application Apache Tomcat 7.0.42 All All All
Application Apache Tomcat 7.0.43 All All All
Application Apache Tomcat 7.0.44 All All All
Application Apache Tomcat 7.0.45 All All All
Application Apache Tomcat 7.0.46 All All All
Application Apache Tomcat 7.0.47 All All All
Application Apache Tomcat 7.0.48 All All All
Application Apache Tomcat 7.0.49 All All All
Application Apache Tomcat 7.0.5 All All All
Application Apache Tomcat 7.0.50 All All All
Application Apache Tomcat 7.0.6 All All All
Application Apache Tomcat 7.0.7 All All All
Application Apache Tomcat 7.0.8 All All All
Application Apache Tomcat 7.0.9 All All All
Application Apache Tomcat 8.0.0 rc1 All All
Application Apache Tomcat 8.0.0 rc10 All All
Application Apache Tomcat 8.0.0 rc2 All All
Application Apache Tomcat 8.0.0 rc5 All All
Application Apache Tomcat 8.0.1 All All All
Application Apache Tomcat 7.0.0 All All All
Application Apache Tomcat 7.0.0 beta All All
Application Apache Tomcat 7.0.1 All All All
Application Apache Tomcat 7.0.10 All All All
Application Apache Tomcat 7.0.11 All All All
Application Apache Tomcat 7.0.12 All All All
Application Apache Tomcat 7.0.13 All All All
Application Apache Tomcat 7.0.14 All All All
Application Apache Tomcat 7.0.15 All All All
Application Apache Tomcat 7.0.16 All All All
Application Apache Tomcat 7.0.17 All All All
Application Apache Tomcat 7.0.18 All All All
Application Apache Tomcat 7.0.19 All All All
Application Apache Tomcat 7.0.2 All All All
Application Apache Tomcat 7.0.2 beta All All
Application Apache Tomcat 7.0.20 All All All
Application Apache Tomcat 7.0.21 All All All
Application Apache Tomcat 7.0.22 All All All
Application Apache Tomcat 7.0.23 All All All
Application Apache Tomcat 7.0.24 All All All
Application Apache Tomcat 7.0.25 All All All
Application Apache Tomcat 7.0.26 All All All
Application Apache Tomcat 7.0.27 All All All
Application Apache Tomcat 7.0.28 All All All
Application Apache Tomcat 7.0.29 All All All
Application Apache Tomcat 7.0.3 All All All
Application Apache Tomcat 7.0.30 All All All
Application Apache Tomcat 7.0.31 All All All
Application Apache Tomcat 7.0.32 All All All
Application Apache Tomcat 7.0.33 All All All
Application Apache Tomcat 7.0.34 All All All
Application Apache Tomcat 7.0.35 All All All
Application Apache Tomcat 7.0.36 All All All
Application Apache Tomcat 7.0.37 All All All
Application Apache Tomcat 7.0.38 All All All
Application Apache Tomcat 7.0.39 All All All
Application Apache Tomcat 7.0.4 All All All
Application Apache Tomcat 7.0.4 beta All All
Application Apache Tomcat 7.0.40 All All All
Application Apache Tomcat 7.0.41 All All All
Application Apache Tomcat 7.0.42 All All All
Application Apache Tomcat 7.0.43 All All All
Application Apache Tomcat 7.0.44 All All All
Application Apache Tomcat 7.0.45 All All All
Application Apache Tomcat 7.0.46 All All All
Application Apache Tomcat 7.0.47 All All All
Application Apache Tomcat 7.0.48 All All All
Application Apache Tomcat 7.0.49 All All All
Application Apache Tomcat 7.0.5 All All All
Application Apache Tomcat 7.0.50 All All All
Application Apache Tomcat 7.0.6 All All All
Application Apache Tomcat 7.0.7 All All All
Application Apache Tomcat 7.0.8 All All All
Application Apache Tomcat 7.0.9 All All All
Application Apache Tomcat 8.0.0 rc1 All All
Application Apache Tomcat 8.0.0 rc10 All All
Application Apache Tomcat 8.0.0 rc2 All All
Application Apache Tomcat 8.0.0 rc5 All All
Application Apache Tomcat 8.0.1 All All All
Application Oracle Retail Applications 12.0 All All All
Application Oracle Retail Applications 12.0in All All All
Application Oracle Retail Applications 13.0 All All All
Application Oracle Retail Applications 13.1 All All All
Application Oracle Retail Applications 13.2 All All All
Application Oracle Retail Applications 13.3 All All All
Application Oracle Retail Applications 13.4 All All All
Application Oracle Retail Applications 14.0 All All All
Application Oracle Retail Applications 12.0 All All All
Application Oracle Retail Applications 12.0in All All All
Application Oracle Retail Applications 13.0 All All All
Application Oracle Retail Applications 13.1 All All All
Application Oracle Retail Applications 13.2 All All All
Application Oracle Retail Applications 13.3 All All All
Application Oracle Retail Applications 13.4 All All All
Application Oracle Retail Applications 14.0 All All All

References

ReferenceSourceLinkTags
Security Advisory SA58075 - IBM Content Navigator Apache Commons FileUpload Denial of Service Vulnerability - Secunia SECUNIA secunia.com
Support / Security / Advisories / / MDVSA-2015:084 | Mandriva MANDRIVA www.mandriva.com
[SECURITY] CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS mail-archives.apache.org
Security Advisory SA59399 - IBM Content Manager Services for Lotus Quickr Apache Commons FileUpload Denial of Service Vulnerability - Secunia SECUNIA secunia.com
IBM Security Bulletin: Content Integrator- Apache Commons FileUpload is vulnerable to a denial of service - United States CONFIRM www-01.ibm.com
Security Advisory SA59184 - IBM DataQuant Apache Commons FileUpload Denial of Service Vulnerability - Secunia SECUNIA secunia.com
About Secunia Research | Flexera SECUNIA secunia.com
Apache Commons FileUpload CVE-2014-0050 Denial Of Service Vulnerability BID www.securityfocus.com
IBM Security Bulletin: A security vulnerability has been identified in Business Space shipped with IBM Business Monitor and WebSphere Business Monitor (CVE-2014-0050) - United States CONFIRM www-01.ibm.com
Red Hat Customer Portal REDHAT rhn.redhat.com
Oracle Critical Patch Update - October 2015 CONFIRM www.oracle.com
IBM Security Bulletin: IBM Enterprise Records (CVE-2014-0050) - United States CONFIRM www-01.ibm.com
JVNDB-2014-000017 JVNDB jvndb.jvn.jp
DoS Vulnerability in JP1/IT Desktop Management - Manager and Job Management Partner 1/IT Desktop Management - Manager: Software Vulnerability Information: Software: Hitachi CONFIRM www.hitachi.co.jp
Mageia Advisory: MGASA-2014-0110 - Updated tomcat packages fix CVE-2014-0050 CONFIRM advisories.mageia.org
IBM notice: The page you requested cannot be displayed CONFIRM www-01.ibm.com
VMSA-2014-0012 | United States CONFIRM www.vmware.com
VMSA-2014-0008.2 | United States CONFIRM www.vmware.com
Red Hat Customer Portal REDHAT rhn.redhat.com
SecurityFocus BUGTRAQ www.securityfocus.com
Document Display | HPE Support Center CONFIRM h20566.www2.hpe.com
[SECURITY] CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS MLIST mail-archives.apache.org
IBM Security Bulletin: IBM Initiate Master Data Service and IBM InfoSphere Master Data Management may be affected by a denial of service vulnerability in Apache Commons FileUpload (CVE-2014-0050) - United States CONFIRM www-01.ibm.com
IBM Security Bulletin: IBM Domino and IBM XWork Server Vulnerable to Apache Commons FileUpload Denial of Service (CVE-2014-0050) - United States CONFIRM www-01.ibm.com
Oracle Critical Patch Update - October 2016 CONFIRM www.oracle.com
VMware Security Advisory 2014-0007 ≈ Packet Storm MISC packetstormsecurity.com
Security Advisory SA59185 - Hitachi IT Operations Analyzer Apache Commons FileUpload Denial of Service Vulnerability - Secunia SECUNIA secunia.com
IBM Security Bulletin: DataQuant for WebSphere is affected by a vulnerability in Apache Commons FileUpload (CVE-2014-0050) - United States CONFIRM www-01.ibm.com
Security Advisory SA59041 - IBM Domino Apache Commons FileUpload Denial of Service Vulnerability - Secunia SECUNIA secunia.com
Oracle Critical Patch Update - January 2015 CONFIRM www.oracle.com
JVN#14876762: Apache Commons FileUpload vulnerable to denial-of-service (DoS) JVN jvn.jp
Full Disclosure: NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities FULLDISC seclists.org
Security Advisory SA58976 - IBM DB2 Query Management Facility (QMF) for WebSphere Apache Commons FileUpload Vulnerability - Secunia SECUNIA secunia.com
IBM Security Bulletin: Apache Commons FileUpload is vulnerable to a denial of service (CVEID: CVE-2014-0050) in IBM Content Manager Services for Lotus Quickr - United States CONFIRM www-01.ibm.com
DoS Vulnerability in Hitachi IT Operations Director: Software Vulnerability Information: Software: Hitachi CONFIRM www.hitachi.co.jp
Security Advisory SA59492 - VMware vCenter Orchestrator (vCO) Denial of Service Vulnerability - Secunia SECUNIA secunia.com
Security Advisory SA59187 - Hitachi IT Operations Director Apache Commons FileUpload Denial of Service Vulnerability - Secunia SECUNIA secunia.com
Red Hat Customer Portal REDHAT rhn.redhat.com
IBM Security Bulletin: Apache Commons FileUpload and Tomcat are vulnerable to a denial of service - United States CONFIRM www-01.ibm.com
Document Display | HPE Support Center CONFIRM h20566.www2.hpe.com
IBM Security Bulletin: QMF for WebSphere is affected by a vulnerability in Apache Commons FileUpload (CVE-2014-0050) - United States CONFIRM www-01.ibm.com
[Apache-SVN] Revision 1565143 CONFIRM svn.apache.org Patch
IBM Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 8.5.5.2 - United States CONFIRM www-01.ibm.com
IBM Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 7.0.0.33 - United States CONFIRM www-01.ibm.com
Security Advisory SA60475 - IBM Content Integrator Apache Commons FileUpload Denial of Service Vulnerability - Secunia SECUNIA secunia.com
Security Advisory SA60753 - IBM Enterprise Records Apache Commons FileUpload Denial of Service Vulnerability - Secunia SECUNIA secunia.com
DoS Vulnerability in Hitachi IT Operations Analyzer: Software Vulnerability Information: Software: Hitachi CONFIRM www.hitachi.co.jp
CVE-2014-0050: Exploit with Boundaries, Loops without Boundaries MISC blog.spiderlabs.com Exploit
Oracle Critical Patch Update - October 2014 CONFIRM www.oracle.com
Oracle Critical Patch Update - July 2014 CONFIRM www.oracle.com
Oracle Critical Patch Update - April 2015 CONFIRM www.oracle.com
Apache Commons FileUpload: Multiple vulnerabilities (GLSA 202107-39) — Gentoo security GENTOO security.gentoo.org
Security Advisory SA59725 - IBM Lotus Mashups Apache Commons FileUpload Denial of Service Vulnerability - Secunia SECUNIA secunia.com
Apache Tomcat® - Apache Tomcat 7 vulnerabilities CONFIRM tomcat.apache.org Patch, Vendor Advisory
Apache Tomcat® - Apache Tomcat 8 vulnerabilities CONFIRM tomcat.apache.org Patch, Vendor Advisory
Security Advisory-Apache Struts2 vulnerability on Huawei multiple products - Huawei PSIRT CONFIRM www.huawei.com
'[security bulletin] HPSBGN03329 rev.1 - HP SDN VAN Controller, Remote Denial of Service (DoS), Distr' - MARC HP marc.info
Bug 1062337 – CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream CONFIRM bugzilla.redhat.com
Security Advisory SA59232 - IBM Initiate Master Data Service / IBM InfoSphere Master Data Management Denial of Service Vulnerability - Secunia SECUNIA secunia.com
Security Advisory SA59039 - IBM Business Monitor Apache Commons FileUpload Denial of Service Vulnerability - Secunia SECUNIA secunia.com
SecurityFocus BUGTRAQ www.securityfocus.com
Debian -- Security Information -- DSA-2856-1 libcommons-fileupload-java DEBIAN www.debian.org
USN-2130-1: Tomcat vulnerabilities | Ubuntu UBUNTU www.ubuntu.com
Security Advisory SA59183 - Hitachi Multiple Products Apache Commons FileUpload Denial of Service Vulnerability - Secunia SECUNIA secunia.com
Document Display | HPE Support Center CONFIRM h20566.www2.hpe.com
Oracle Critical Patch Update - October 2017 CONFIRM www.oracle.com
Security Advisory SA59500 - VMware vCenter Operations Manager (vCOps) Two Vulnerabilities - Secunia SECUNIA secunia.com
VMSA-2014-0007.2 | United States CONFIRM www.vmware.com
IBM Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 8.0.0.9 - United States CONFIRM www-01.ibm.com
Oracle Critical Patch Update - January 2016 CONFIRM www.oracle.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 710049 Gentoo Linux Apache Commons FileUpload Multiple Vulnerabilities (GLSA 202107-39)
  • 981999 Java (maven) Security Update for commons-fileupload:commons-fileupload (GHSA-xx68-jfcg-xmmf)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report