Home > Vulnerability Database > CVE-2011-4858

Mend.io Vulnerability Database

CVE-2011-4858

Good to know:

Date: January 5, 2012

Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

Language: Java

Severity Score

5.3

Related Resources (31)

Url: http://rhn.redhat.com/errata/RHSA-2012-0089.html

Url: http://www.nruns.com/_downloads/advisory28122011.pdf

Url: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18886

Url: http://rhn.redhat.com/errata/RHSA-2012-0075.html

Url: http://www.kb.cert.org/vuls/id/903934

Url: http://www.debian.org/security/2012/dsa-2401

Url: http://rhn.redhat.com/errata/RHSA-2012-0078.html

Url: http://secunia.com/advisories/55115

Url: https://github.com/apache/tomcat

Url: https://access.redhat.com/security/cve/CVE-2011-4858

Url: http://mail-archives.apache.org/mod_mbox/tomcat-announce/201112.mbox/%3c4EFB9800.5010106@apache.org%3e

Url: http://mail-archives.apache.org/mod_mbox/tomcat-announce/201112.mbox/%3c4EFB9800.5010106%40apache.org%3e

Url: http://rhn.redhat.com/errata/RHSA-2012-0074.html

Url: http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Url: https://bugzilla.redhat.com/show_bug.cgi?id=750521

Url: http://rhn.redhat.com/errata/RHSA-2012-0077.html

Url: http://rhn.redhat.com/errata/RHSA-2012-0406.html

Url: http://marc.info/?l=bugtraq&m=132871655717248&w=2

Url: http://secunia.com/advisories/48790

Url: http://secunia.com/advisories/48791

Url: http://www.securityfocus.com/bid/51200

Url: http://rhn.redhat.com/errata/RHSA-2012-0076.html

Url: https://github.com/FireFart/HashCollision-DOS-POC/blob/master/HashtablePOC.py

Url: http://secunia.com/advisories/54971

Url: http://marc.info/?l=bugtraq&m=136485229118404&w=2

Url: http://rhn.redhat.com/errata/RHSA-2012-0325.html

Url: http://secunia.com/advisories/48549

Url: http://marc.info/?l=bugtraq&m=133294394108746&w=2

Url: http://www.ocert.org/advisories/ocert-2011-003.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2011-4858

Url: https://www.mend.io/vulnerability-database/CVE-2011-4858

Severity Score

5.3

Weakness Type (CWE)

Input Validation

CWE-20

Resource Management Errors

CWE-399

Top Fix

Upgrade Version

Upgrade to version org.apache.tomcat:catalina:6.0.35,org.apache.tomcat:tomcat-coyote:7.0.23,org.apache.tomcat:tomcat-catalina:7.0.23,org.apache.tomcat.embed:tomcat-embed-core:7.0.23

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	LOW

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2011-4858

Good to know:

Date: January 5, 2012

Language: Java

Severity Score

Related Resources (31)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?