CVE-2014-0050
Summary
| CVE | CVE-2014-0050 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2014-04-01 06:27:51 UTC |
| Updated | 2026-05-06 22:30:45 UTC |
| Description | MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions. |
Risk And Classification
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
LowAuthentication
NoneConfidentiality
PartialIntegrity
PartialAvailability
PartialAV:N/AC:L/Au:N/C:P/I:P/A:P
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Commons Fileupload | 1.0 | All | All | All |
| Application | Apache | Commons Fileupload | 1.1 | All | All | All |
| Application | Apache | Commons Fileupload | 1.1.1 | All | All | All |
| Application | Apache | Commons Fileupload | 1.2 | All | All | All |
| Application | Apache | Commons Fileupload | 1.2.1 | All | All | All |
| Application | Apache | Commons Fileupload | 1.2.2 | All | All | All |
| Application | Apache | Commons Fileupload | All | All | All | All |
| Application | Apache | Tomcat | 7.0.0 | All | All | All |
| Application | Apache | Tomcat | 7.0.0 | beta | All | All |
| Application | Apache | Tomcat | 7.0.1 | All | All | All |
| Application | Apache | Tomcat | 7.0.10 | All | All | All |
| Application | Apache | Tomcat | 7.0.11 | All | All | All |
| Application | Apache | Tomcat | 7.0.12 | All | All | All |
| Application | Apache | Tomcat | 7.0.13 | All | All | All |
| Application | Apache | Tomcat | 7.0.14 | All | All | All |
| Application | Apache | Tomcat | 7.0.15 | All | All | All |
| Application | Apache | Tomcat | 7.0.16 | All | All | All |
| Application | Apache | Tomcat | 7.0.17 | All | All | All |
| Application | Apache | Tomcat | 7.0.18 | All | All | All |
| Application | Apache | Tomcat | 7.0.19 | All | All | All |
| Application | Apache | Tomcat | 7.0.2 | All | All | All |
| Application | Apache | Tomcat | 7.0.2 | beta | All | All |
| Application | Apache | Tomcat | 7.0.20 | All | All | All |
| Application | Apache | Tomcat | 7.0.21 | All | All | All |
| Application | Apache | Tomcat | 7.0.22 | All | All | All |
| Application | Apache | Tomcat | 7.0.23 | All | All | All |
| Application | Apache | Tomcat | 7.0.24 | All | All | All |
| Application | Apache | Tomcat | 7.0.25 | All | All | All |
| Application | Apache | Tomcat | 7.0.26 | All | All | All |
| Application | Apache | Tomcat | 7.0.27 | All | All | All |
| Application | Apache | Tomcat | 7.0.28 | All | All | All |
| Application | Apache | Tomcat | 7.0.29 | All | All | All |
| Application | Apache | Tomcat | 7.0.3 | All | All | All |
| Application | Apache | Tomcat | 7.0.30 | All | All | All |
| Application | Apache | Tomcat | 7.0.31 | All | All | All |
| Application | Apache | Tomcat | 7.0.32 | All | All | All |
| Application | Apache | Tomcat | 7.0.33 | All | All | All |
| Application | Apache | Tomcat | 7.0.34 | All | All | All |
| Application | Apache | Tomcat | 7.0.35 | All | All | All |
| Application | Apache | Tomcat | 7.0.36 | All | All | All |
| Application | Apache | Tomcat | 7.0.37 | All | All | All |
| Application | Apache | Tomcat | 7.0.38 | All | All | All |
| Application | Apache | Tomcat | 7.0.39 | All | All | All |
| Application | Apache | Tomcat | 7.0.4 | All | All | All |
| Application | Apache | Tomcat | 7.0.4 | beta | All | All |
| Application | Apache | Tomcat | 7.0.40 | All | All | All |
| Application | Apache | Tomcat | 7.0.41 | All | All | All |
| Application | Apache | Tomcat | 7.0.42 | All | All | All |
| Application | Apache | Tomcat | 7.0.43 | All | All | All |
| Application | Apache | Tomcat | 7.0.44 | All | All | All |
| Application | Apache | Tomcat | 7.0.45 | All | All | All |
| Application | Apache | Tomcat | 7.0.46 | All | All | All |
| Application | Apache | Tomcat | 7.0.47 | All | All | All |
| Application | Apache | Tomcat | 7.0.48 | All | All | All |
| Application | Apache | Tomcat | 7.0.49 | All | All | All |
| Application | Apache | Tomcat | 7.0.5 | All | All | All |
| Application | Apache | Tomcat | 7.0.50 | All | All | All |
| Application | Apache | Tomcat | 7.0.6 | All | All | All |
| Application | Apache | Tomcat | 7.0.7 | All | All | All |
| Application | Apache | Tomcat | 7.0.8 | All | All | All |
| Application | Apache | Tomcat | 7.0.9 | All | All | All |
| Application | Apache | Tomcat | 8.0.0 | rc1 | All | All |
| Application | Apache | Tomcat | 8.0.0 | rc10 | All | All |
| Application | Apache | Tomcat | 8.0.0 | rc2 | All | All |
| Application | Apache | Tomcat | 8.0.0 | rc5 | All | All |
| Application | Apache | Tomcat | 8.0.1 | All | All | All |
| Application | Oracle | Retail Applications | 12.0 | All | All | All |
| Application | Oracle | Retail Applications | 12.0in | All | All | All |
| Application | Oracle | Retail Applications | 13.0 | All | All | All |
| Application | Oracle | Retail Applications | 13.1 | All | All | All |
| Application | Oracle | Retail Applications | 13.2 | All | All | All |
| Application | Oracle | Retail Applications | 13.3 | All | All | All |
| Application | Oracle | Retail Applications | 13.4 | All | All | All |
| Application | Oracle | Retail Applications | 14.0 | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Security Advisory SA60753 - IBM Enterprise Records Apache Commons FileUpload Denial of Service Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Debian -- Security Information -- DSA-2856-1 libcommons-fileupload-java | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | |
| Mageia Advisory: MGASA-2014-0110 - Updated tomcat packages fix CVE-2014-0050 | af854a3a-2127-422b-91ae-364da2661108 | advisories.mageia.org | |
| IBM Security Bulletin: Content Integrator- Apache Commons FileUpload is vulnerable to a denial of service - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| Security Advisory SA59399 - IBM Content Manager Services for Lotus Quickr Apache Commons FileUpload Denial of Service Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Security Advisory SA59039 - IBM Business Monitor Apache Commons FileUpload Denial of Service Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| IBM Security Bulletin: IBM Initiate Master Data Service and IBM InfoSphere Master Data Management may be affected by a denial of service vulnerability in Apache Commons FileUpload (CVE-2014-0050) - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| Apache Commons FileUpload: Multiple vulnerabilities (GLSA 202107-39) — Gentoo security | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | |
| Security Advisory-Apache Struts2 vulnerability on Huawei multiple products - Huawei PSIRT | af854a3a-2127-422b-91ae-364da2661108 | www.huawei.com | |
| Security Advisory SA59492 - VMware vCenter Orchestrator (vCO) Denial of Service Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| VMware Security Advisory 2014-0007 ≈ Packet Storm | af854a3a-2127-422b-91ae-364da2661108 | packetstormsecurity.com | |
| Security Advisory SA58075 - IBM Content Navigator Apache Commons FileUpload Denial of Service Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Oracle Critical Patch Update - October 2016 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| jvndb.jvn.jp/jvndb/JVNDB-2014-000017 | af854a3a-2127-422b-91ae-364da2661108 | jvndb.jvn.jp | |
| '[security bulletin] HPSBGN03329 rev.1 - HP SDN VAN Controller, Remote Denial of Service (DoS), Distr' - MARC | af854a3a-2127-422b-91ae-364da2661108 | marc.info | |
| Apache Tomcat® - Apache Tomcat 8 vulnerabilities | af854a3a-2127-422b-91ae-364da2661108 | tomcat.apache.org | Patch, Vendor Advisory |
| Oracle Critical Patch Update - October 2014 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| IBM Security Bulletin: DataQuant for WebSphere is affected by a vulnerability in Apache Commons FileUpload (CVE-2014-0050) - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| IBM Security Bulletin: Apache Commons FileUpload and Tomcat are vulnerable to a denial of service - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| DoS Vulnerability in JP1/IT Desktop Management - Manager and Job Management Partner 1/IT Desktop Management - Manager: Software Vulnerability Information: Software: Hitachi | af854a3a-2127-422b-91ae-364da2661108 | www.hitachi.co.jp | |
| Security Advisory SA59185 - Hitachi IT Operations Analyzer Apache Commons FileUpload Denial of Service Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Apache Tomcat® - Apache Tomcat 7 vulnerabilities | af854a3a-2127-422b-91ae-364da2661108 | tomcat.apache.org | Patch, Vendor Advisory |
| IBM Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 7.0.0.33 - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| Oracle Critical Patch Update - October 2015 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| USN-2130-1: Tomcat vulnerabilities | Ubuntu | af854a3a-2127-422b-91ae-364da2661108 | www.ubuntu.com | |
| Document Display | HPE Support Center | af854a3a-2127-422b-91ae-364da2661108 | h20566.www2.hpe.com | |
| VMSA-2014-0007.2 | United States | af854a3a-2127-422b-91ae-364da2661108 | www.vmware.com | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| SecurityFocus | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | |
| Security Advisory SA58976 - IBM DB2 Query Management Facility (QMF) for WebSphere Apache Commons FileUpload Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Oracle Critical Patch Update - July 2014 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| IBM Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 8.0.0.9 - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| Bug 1062337 – CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream | af854a3a-2127-422b-91ae-364da2661108 | bugzilla.redhat.com | |
| IBM Security Bulletin: A security vulnerability has been identified in Business Space shipped with IBM Business Monitor and WebSphere Business Monitor (CVE-2014-0050) - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| Oracle Critical Patch Update - April 2015 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Security Advisory SA60475 - IBM Content Integrator Apache Commons FileUpload Denial of Service Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Security Advisory SA59183 - Hitachi Multiple Products Apache Commons FileUpload Denial of Service Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| IBM Security Bulletin: QMF for WebSphere is affected by a vulnerability in Apache Commons FileUpload (CVE-2014-0050) - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| Oracle Critical Patch Update - October 2017 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Security Advisory SA59725 - IBM Lotus Mashups Apache Commons FileUpload Denial of Service Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Security Advisory SA59041 - IBM Domino Apache Commons FileUpload Denial of Service Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Oracle Critical Patch Update - January 2016 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| [SECURITY] CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS | af854a3a-2127-422b-91ae-364da2661108 | mail-archives.apache.org | |
| CVE-2014-0050: Exploit with Boundaries, Loops without Boundaries | af854a3a-2127-422b-91ae-364da2661108 | blog.spiderlabs.com | Exploit |
| Security Advisory SA59187 - Hitachi IT Operations Director Apache Commons FileUpload Denial of Service Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Document Display | HPE Support Center | af854a3a-2127-422b-91ae-364da2661108 | h20566.www2.hpe.com | |
| IBM Security Bulletin: IBM Domino and IBM XWork Server Vulnerable to Apache Commons FileUpload Denial of Service (CVE-2014-0050) - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| VMSA-2014-0008.2 | United States | af854a3a-2127-422b-91ae-364da2661108 | www.vmware.com | |
| JVN#14876762: Apache Commons FileUpload vulnerable to denial-of-service (DoS) | af854a3a-2127-422b-91ae-364da2661108 | jvn.jp | |
| Support / Security / Advisories / / MDVSA-2015:084 | Mandriva | af854a3a-2127-422b-91ae-364da2661108 | www.mandriva.com | |
| IBM Security Bulletin: IBM Enterprise Records (CVE-2014-0050) - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| Apache Commons FileUpload CVE-2014-0050 Denial Of Service Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | |
| [Apache-SVN] Revision 1565143 | af854a3a-2127-422b-91ae-364da2661108 | svn.apache.org | Patch |
| Security Advisory SA59184 - IBM DataQuant Apache Commons FileUpload Denial of Service Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| DoS Vulnerability in Hitachi IT Operations Analyzer: Software Vulnerability Information: Software: Hitachi | af854a3a-2127-422b-91ae-364da2661108 | www.hitachi.co.jp | |
| SecurityFocus | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | |
| IBM notice: The page you requested cannot be displayed | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| IBM Security Bulletin: Apache Commons FileUpload is vulnerable to a denial of service (CVEID: CVE-2014-0050) in IBM Content Manager Services for Lotus Quickr - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| Oracle Critical Patch Update - January 2015 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Full Disclosure: NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities | af854a3a-2127-422b-91ae-364da2661108 | seclists.org | |
| Security Advisory SA59232 - IBM Initiate Master Data Service / IBM InfoSphere Master Data Management Denial of Service Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Document Display | HPE Support Center | af854a3a-2127-422b-91ae-364da2661108 | h20566.www2.hpe.com | |
| About Secunia Research | Flexera | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| IBM Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 8.5.5.2 - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| Security Advisory SA59500 - VMware vCenter Operations Manager (vCOps) Two Vulnerabilities - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| VMSA-2014-0012 | United States | af854a3a-2127-422b-91ae-364da2661108 | www.vmware.com | |
| DoS Vulnerability in Hitachi IT Operations Director: Software Vulnerability Information: Software: Hitachi | af854a3a-2127-422b-91ae-364da2661108 | www.hitachi.co.jp | |
| [SECURITY] CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS | MITRE | mail-archives.apache.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.