Strike ID:
D20-9uy71
CVSS:
5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
False Positive:
t
Variants:
2
Year:
2020

Description

This strike exploits an infinite loop vulnerability in the WebSocket module of Apache Tomcat. The vulnerability is caused by improper validations of the extended payload length. A remote, unauthenticated attacker can send crafted WebSocket requests to the server resulting in each of the worker nodes entering an infinite loop; multiple such requests could lead to a denial of service. Note: The strike in one-arm mode uses a specific path /examples/websocket/echoAnnotation to perform the exploitation. This path points to the WebSocket examples included with Tomcat.

CVE

References

MSB

BID

ExploitDB

Secunia

Security Tracker

Metasploit

ZDI

Google

OSVDB

{}