Skip to content

Apache Tomcat Denial of Service via Malformed Request Headers

Moderate severity GitHub Reviewed Published May 2, 2022 to the GitHub Advisory Database • Updated Jan 23, 2024

Package

maven org.apache.tomcat:tomcat (Maven)

Affected versions

>= 4.1.0, <= 4.1.39
>= 5.5.0, <= 5.5.27
>= 6.0.0, <= 6.0.18

Patched versions

None

Description

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header.

References

Published by the National Vulnerability Database Jun 5, 2009
Published to the GitHub Advisory Database May 2, 2022
Reviewed Jan 23, 2024
Last updated Jan 23, 2024

Severity

Moderate

EPSS score

2.243%
(89th percentile)

CVE ID

CVE-2009-0033

GHSA ID

GHSA-5cw4-ggx9-36vg

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.