Miggo Logo

CVE-2013-4444: Apache Tomcat Unrestricted file upload vulnerability

6.8

CVSS Score

Basic Information

EPSS Score
0.9041%
Published
5/13/2022
Updated
8/17/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:P/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.tomcat:tomcatmaven>= 7.0, < 7.0.407.0.40

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability CVE-2013-4444 stems from improper handling of null bytes in filenames during file uploads. The DiskFileItem class in Tomcat's file upload component uses java.io.File, which in older Java versions (pre-1.7.0_40) did not properly handle null bytes. This allows attackers to upload JSP files by appending a null byte to the filename (e.g., 'malicious.jsp%00.txt'), which truncates the effective filename to 'malicious.jsp'. When combined with a custom JMX listener configuration that allows remote access, this leads to arbitrary code execution. The fix in Tomcat 7.0.40 addressed this by sanitizing filenames to prevent null byte injection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Unr*stri*t** *il* uplo** vuln*r**ility in *p**** Tom**t *.x ***or* *.*.**, in **rt*in situ*tions involvin* out**t** j*v*.io.*il* *o** *n* * *ustom JMX *on*i*ur*tion, *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** *y uplo**in* *n* ****ssin* * JSP *

Reasoning

T** vuln*r**ility *V*-****-**** st*ms *rom improp*r **n*lin* o* null *yt*s in *il*n*m*s *urin* *il* uplo**s. T** `*isk*il*It*m` *l*ss in Tom**t's *il* uplo** *ompon*nt us*s `j*v*.io.*il*`, w*i** in ol**r J*v* v*rsions (pr*-*.*.*_**) *i* not prop*rly