CVE-2013-4444: Apache Tomcat Unrestricted file upload vulnerability
6.8
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.9041%
CWE
Published
5/13/2022
Updated
8/17/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
AV:N/AC:M/Au:N/C:P/I:P/A:P
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.tomcat:tomcat | maven | >= 7.0, < 7.0.40 | 7.0.40 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability CVE-2013-4444 stems from improper handling of null bytes in filenames during file uploads. The DiskFileItem
class in Tomcat's file upload component uses java.io.File
, which in older Java versions (pre-1.7.0_40) did not properly handle null bytes. This allows attackers to upload JSP
files by appending a null byte to the filename (e.g., 'malicious.jsp%00.txt'), which truncates the effective filename to 'malicious.jsp'. When combined with a custom JMX
listener configuration that allows remote access, this leads to arbitrary code execution. The fix in Tomcat 7.0.40
addressed this by sanitizing filenames to prevent null byte injection.