Apache Software Foundation
- Apache Tomcat 8.0.0-RC1 to 8.0.8 inclusive
- Apache Tomcat 7.0.0 to 7.0.54 inclusive
- Apache Tomcat 6.0.0 to 6.0.41 inclusive
It was possible to craft a malformed chunk as part of a chunked request that caused Tomcat to read part of the request body as a new request.
Users of affected versions should apply the following mitigation:
- Upgrade to tc Runtime 7.0.55.A or later
- Upgrade to tc Runtime 6.0.43.A or later
This issue was identified by the Apache Tomcat security team.
2015-Feb-09: Initial vulnerability report published.