N/A

CVSS Score

Basic Information

CVE ID

CVE-2012-0022

GHSA ID

GHSA-8h2q-qm9x-55jc

EPSS Score

0.95676%

CWE

Published

5/4/2022

Updated

2/21/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2012-0022

CVE-2012-0022: Denial of Service in Apache Tomcat

Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters and parameter values, a different vulnerability than CVE-2011-4858.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2012-0022

GHSA ID

GHSA-8h2q-qm9x-55jc

EPSS Score

0.95676%

CWE

Published

5/4/2022

Updated

2/21/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.tomcat:tomcat	maven	>= 5.5.0, < 5.5.35	5.5.35
org.apache.tomcat:tomcat	maven	>= 6.0.0, < 6.0.34	6.0.34
org.apache.tomcat:tomcat	maven	>= 7.0.0, < 7.0.23	7.0.23

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability CVE-2012-0022 stems from inefficient parameter handling in Apache Tomcat. Analysis of security advisories and commit diffs shows that the processParameters method in Parameters.java was modified to introduce MAX_COUNT limits (via org.apache.tomcat.util.http.Parameters.MAX_COUNT) and optimize parsing. Red Hat's errata explicitly reference this parameter limit configuration, and the Tomcat security documentation confirms the parameter handling inefficiency was addressed in this component. The code changes in the commit show additions of parameter count tracking and early termination logic, directly correlating with the vulnerability description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** Tom**t *.*.x ***or* *.*.**, *.x ***or* *.*.**, *n* *.x ***or* *.*.** us*s *n in***i*i*nt *ppro*** *or **n*lin* p*r*m*t*rs, w*i** *llows r*mot* *tt**k*rs to **us* * **ni*l o* s*rvi** (*PU *onsumption) vi* * r*qu*st t**t *ont*ins m*ny p*r*m*t*rs

Reasoning

T** vuln*r**ility *V*-****-**** st*ms *rom in***i*i*nt p*r*m*t*r **n*lin* in *p**** Tom**t. *n*lysis o* s**urity **visori*s *n* *ommit *i**s s*ows t**t t** pro**ssP*r*m*t*rs m*t*o* in P*r*m*t*rs.j*v* w*s mo*i*i** to intro*u** M*X_*OUNT limits (vi* or

N/A

Basic Information

Concerned about an active attack path?

CVE-2012-0022: Denial of Service in Apache Tomcat

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI