CVE-2014-0099
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
4.3
Description
Improper Neutralization of CRLF Sequences in HTTP Headers in Apache Tomcat
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.apache.tomcat:tomcat | <6.0.40 | 6.0.40 |
| Maven | org.apache.tomcat:tomcat | >=7.0.0,<7.0.54 | 7.0.54 |
| Maven | org.apache.tomcat:tomcat | >=8.0.0,<8.0.6 | 8.0.6 |
| Maven | org.apache.tomcat:tomcat-util | <6.0.40 | 6.0.40 |
| Maven | org.apache.tomcat:tomcat-util | >=7.0.0,<7.0.54 | 7.0.54 |
| Maven | org.apache.tomcat:tomcat-util | >=8.0.0,<8.0.6 | 8.0.6 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| apache | tomcat | {"endIncluding":"6.0.39"} | |
| apache | tomcat | 6 | |
| apache | tomcat | 6.0 | |
| apache | tomcat | 6.0.0 | |
| apache | tomcat | 6.0.1 | |
| apache | tomcat | 6.0.2 | |
| apache | tomcat | 6.0.3 | |
| apache | tomcat | 6.0.4 | |
| apache | tomcat | 6.0.5 | |
| apache | tomcat | 6.0.6 | |
| apache | tomcat | 6.0.7 | |
| apache | tomcat | 6.0.8 | |
| apache | tomcat | 6.0.9 | |
| apache | tomcat | 6.0.10 | |
| apache | tomcat | 6.0.11 | |
| apache | tomcat | 6.0.12 | |
| apache | tomcat | 6.0.13 | |
| apache | tomcat | 6.0.14 | |
| apache | tomcat | 6.0.15 | |
| apache | tomcat | 6.0.16 | |
| apache | tomcat | 6.0.17 | |
| apache | tomcat | 6.0.18 | |
| apache | tomcat | 6.0.19 | |
| apache | tomcat | 6.0.20 | |
| apache | tomcat | 6.0.24 | |
| apache | tomcat | 6.0.26 | |
| apache | tomcat | 6.0.27 | |
| apache | tomcat | 6.0.28 | |
| apache | tomcat | 6.0.29 | |
| apache | tomcat | 6.0.30 | |
| apache | tomcat | 6.0.31 | |
| apache | tomcat | 6.0.32 | |
| apache | tomcat | 6.0.33 | |
| apache | tomcat | 6.0.35 | |
| apache | tomcat | 6.0.36 | |
| apache | tomcat | 6.0.37 | |
| apache | tomcat | 8.0.0 | |
| apache | tomcat | 8.0.1 | |
| apache | tomcat | 8.0.3 | |
| apache | tomcat | 7.0.0 | |
| apache | tomcat | 7.0.1 | |
| apache | tomcat | 7.0.2 | |
| apache | tomcat | 7.0.3 | |
| apache | tomcat | 7.0.4 | |
| apache | tomcat | 7.0.5 | |
| apache | tomcat | 7.0.6 | |
| apache | tomcat | 7.0.7 | |
| apache | tomcat | 7.0.8 | |
| apache | tomcat | 7.0.9 | |
| apache | tomcat | 7.0.10 | |
| apache | tomcat | 7.0.11 | |
| apache | tomcat | 7.0.12 | |
| apache | tomcat | 7.0.13 | |
| apache | tomcat | 7.0.14 | |
| apache | tomcat | 7.0.15 | |
| apache | tomcat | 7.0.16 | |
| apache | tomcat | 7.0.17 | |
| apache | tomcat | 7.0.18 | |
| apache | tomcat | 7.0.19 | |
| apache | tomcat | 7.0.20 | |
| apache | tomcat | 7.0.21 | |
| apache | tomcat | 7.0.22 | |
| apache | tomcat | 7.0.23 | |
| apache | tomcat | 7.0.24 | |
| apache | tomcat | 7.0.25 | |
| apache | tomcat | 7.0.26 | |
| apache | tomcat | 7.0.27 | |
| apache | tomcat | 7.0.28 | |
| apache | tomcat | 7.0.29 | |
| apache | tomcat | 7.0.30 | |
| apache | tomcat | 7.0.31 | |
| apache | tomcat | 7.0.32 | |
| apache | tomcat | 7.0.33 | |
| apache | tomcat | 7.0.34 | |
| apache | tomcat | 7.0.35 | |
| apache | tomcat | 7.0.36 | |
| apache | tomcat | 7.0.37 | |
| apache | tomcat | 7.0.38 | |
| apache | tomcat | 7.0.39 | |
| apache | tomcat | 7.0.40 | |
| apache | tomcat | 7.0.41 | |
| apache | tomcat | 7.0.42 | |
| apache | tomcat | 7.0.43 | |
| apache | tomcat | 7.0.44 | |
| apache | tomcat | 7.0.45 | |
| apache | tomcat | 7.0.46 | |
| apache | tomcat | 7.0.47 | |
| apache | tomcat | 7.0.48 | |
| apache | tomcat | 7.0.49 | |
| apache | tomcat | 7.0.50 | |
| apache | tomcat | 7.0.52 | |
References
- https://www.suse.com/security/cve/CVE-2014-0099.html
- http://advisories.mageia.org/MGASA-2014-0268.html
- http://linux.oracle.com/errata/ELSA-2014-0865.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150282.html
- http://marc.info/?l=bugtraq&m=141017844705317&w=2
- http://marc.info/?l=bugtraq&m=141390017113542&w=2
- http://marc.info/?l=bugtraq&m=144498216801440&w=2
- http://rhn.redhat.com/errata/RHSA-2015-0675.html
- http://rhn.redhat.com/errata/RHSA-2015-0720.html
- http://rhn.redhat.com/errata/RHSA-2015-0765.html
- http://seclists.org/fulldisclosure/2014/Dec/23
- http://seclists.org/fulldisclosure/2014/May/138
- http://seclists.org/fulldisclosure/2014/May/140
- http://secunia.com/advisories/59121
- http://secunia.com/advisories/59678
- http://secunia.com/advisories/59732
- http://secunia.com/advisories/59835
- http://secunia.com/advisories/59849
- http://secunia.com/advisories/59873
- http://secunia.com/advisories/60729
- http://secunia.com/advisories/60793
- http://svn.apache.org/viewvc?view=revision&revision=1578812
- http://svn.apache.org/viewvc?view=revision&revision=1578814
- http://svn.apache.org/viewvc?view=revision&revision=1580473
- http://tomcat.apache.org/security-6.html
CWEs
CWE-189
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.