Input validation error in Apache Tomcat - CVE-2013-0338
Published: April 26, 2013 / Updated: February 3, 2021
Vulnerability identifier: #VU32708
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2013-0338
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Tomcat
Apache Tomcat
Detailed vulnerability description
The vulnerability allows context-dependent attackers to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity.
How to mitigate CVE-2013-0338
Install update from vendor's website.
Sources
- http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00002.html
- http://lists.opensuse.org/opensuse-updates/2013-03/msg00112.html
- http://lists.opensuse.org/opensuse-updates/2013-03/msg00114.html
- http://marc.info/?l=bugtraq&m=142798889927587&w=2
- http://secunia.com/advisories/52662
- http://secunia.com/advisories/55568
- http://www.debian.org/security/2013/dsa-2652
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:056
- http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
- http://www.ubuntu.com/usn/USN-1782-1
- https://bugzilla.redhat.com/show_bug.cgi?id=912400
- https://git.gnome.org/browse/libxml2/commit/?id=23f05e0c33987d6605387b300c4be5da2120a7ab