CVE-2014-0227 [Medium] | Denial of Service in Tomcat

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	69.38%	21.04%	-48.34%
2	2026-06-08	78.23%	69.38%	-8.85%
3	2026-03-30	—	78.23%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

69.38%

21.04%

-48.34%

2026-06-08

78.23%

69.38%

-8.85%

2026-03-30

—

78.23%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
6.4	2.0	MEDIUM	`AV:N/AC:L/Au:N/C:N/I:P/A:P` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:N) No confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:P) Partial availability impact.	10.0	4.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

6.4

2.0

MEDIUM

AV:N/AC:L/Au:N/C:N/I:P/A:P Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:N): No confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:P): Partial availability impact.

10.0

4.9

[email protected]

OS Trackers for CVE-2014-0227

vendor	priority	summary	link
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2014-0227
`ubuntu`	low	CVE-2014-0227 low priority: Ubuntu including 3 source packages (tomcat6, tomcat7, tomcat8), 36 status rows across 12 suites (artful, bionic, lucid, precise, trusty, upstream, utopic, vivid, wily, xenial, yakkety, zesty): not-affected 16, DNE 8, released 7, ignored 5.	https://ubuntu.com/security/CVE-2014-0227

Affected software / configurations for CVE-2014-0227

Vendor	Product	Version	Raw CPE
apache	tomcat	6.0.0	cpe:2.3:a:apache:tomcat:6.0.0:::::::*
apache	tomcat	6.0.0	cpe:2.3:a:apache:tomcat:6.0.0:alpha::::::
apache	tomcat	6.0.1	cpe:2.3:a:apache:tomcat:6.0.1:::::::*
apache	tomcat	6.0.1	cpe:2.3:a:apache:tomcat:6.0.1:alpha::::::
apache	tomcat	6.0.2	cpe:2.3:a:apache:tomcat:6.0.2:::::::*
apache	tomcat	6.0.2	cpe:2.3:a:apache:tomcat:6.0.2:alpha::::::
apache	tomcat	6.0.2	cpe:2.3:a:apache:tomcat:6.0.2:beta::::::
apache	tomcat	6.0.3	cpe:2.3:a:apache:tomcat:6.0.3:::::::*
apache	tomcat	6.0.4	cpe:2.3:a:apache:tomcat:6.0.4:::::::*
apache	tomcat	6.0.4	cpe:2.3:a:apache:tomcat:6.0.4:alpha::::::
apache	tomcat	6.0.5	cpe:2.3:a:apache:tomcat:6.0.5:::::::*
apache	tomcat	6.0.6	cpe:2.3:a:apache:tomcat:6.0.6:::::::*
apache	tomcat	6.0.6	cpe:2.3:a:apache:tomcat:6.0.6:alpha::::::
apache	tomcat	6.0.7	cpe:2.3:a:apache:tomcat:6.0.7:::::::*
apache	tomcat	6.0.7	cpe:2.3:a:apache:tomcat:6.0.7:alpha::::::
apache	tomcat	6.0.7	cpe:2.3:a:apache:tomcat:6.0.7:beta::::::
apache	tomcat	6.0.8	cpe:2.3:a:apache:tomcat:6.0.8:::::::*
apache	tomcat	6.0.8	cpe:2.3:a:apache:tomcat:6.0.8:alpha::::::
apache	tomcat	6.0.9	cpe:2.3:a:apache:tomcat:6.0.9:::::::*
apache	tomcat	6.0.9	cpe:2.3:a:apache:tomcat:6.0.9:beta::::::
apache	tomcat	6.0.10	cpe:2.3:a:apache:tomcat:6.0.10:::::::*
apache	tomcat	6.0.11	cpe:2.3:a:apache:tomcat:6.0.11:::::::*
apache	tomcat	6.0.12	cpe:2.3:a:apache:tomcat:6.0.12:::::::*
apache	tomcat	6.0.13	cpe:2.3:a:apache:tomcat:6.0.13:::::::*
apache	tomcat	6.0.14	cpe:2.3:a:apache:tomcat:6.0.14:::::::*
apache	tomcat	6.0.15	cpe:2.3:a:apache:tomcat:6.0.15:::::::*
apache	tomcat	6.0.16	cpe:2.3:a:apache:tomcat:6.0.16:::::::*
apache	tomcat	6.0.17	cpe:2.3:a:apache:tomcat:6.0.17:::::::*
apache	tomcat	6.0.18	cpe:2.3:a:apache:tomcat:6.0.18:::::::*
apache	tomcat	6.0.19	cpe:2.3:a:apache:tomcat:6.0.19:::::::*
apache	tomcat	6.0.20	cpe:2.3:a:apache:tomcat:6.0.20:::::::*
apache	tomcat	6.0.24	cpe:2.3:a:apache:tomcat:6.0.24:::::::*
apache	tomcat	6.0.26	cpe:2.3:a:apache:tomcat:6.0.26:::::::*
apache	tomcat	6.0.27	cpe:2.3:a:apache:tomcat:6.0.27:::::::*
apache	tomcat	6.0.28	cpe:2.3:a:apache:tomcat:6.0.28:::::::*
apache	tomcat	6.0.29	cpe:2.3:a:apache:tomcat:6.0.29:::::::*
apache	tomcat	6.0.30	cpe:2.3:a:apache:tomcat:6.0.30:::::::*
apache	tomcat	6.0.31	cpe:2.3:a:apache:tomcat:6.0.31:::::::*
apache	tomcat	6.0.32	cpe:2.3:a:apache:tomcat:6.0.32:::::::*
apache	tomcat	6.0.33	cpe:2.3:a:apache:tomcat:6.0.33:::::::*
apache	tomcat	6.0.35	cpe:2.3:a:apache:tomcat:6.0.35:::::::*
apache	tomcat	6.0.36	cpe:2.3:a:apache:tomcat:6.0.36:::::::*
apache	tomcat	6.0.37	cpe:2.3:a:apache:tomcat:6.0.37:::::::*
apache	tomcat	6.0.39	cpe:2.3:a:apache:tomcat:6.0.39:::::::*
apache	tomcat	6.0.41	cpe:2.3:a:apache:tomcat:6.0.41:::::::*
apache	tomcat	7.0.0	cpe:2.3:a:apache:tomcat:7.0.0:::::::*
apache	tomcat	7.0.0	cpe:2.3:a:apache:tomcat:7.0.0:beta::::::
apache	tomcat	7.0.1	cpe:2.3:a:apache:tomcat:7.0.1:::::::*
apache	tomcat	7.0.2	cpe:2.3:a:apache:tomcat:7.0.2:::::::*
apache	tomcat	7.0.2	cpe:2.3:a:apache:tomcat:7.0.2:beta::::::
apache	tomcat	7.0.3	cpe:2.3:a:apache:tomcat:7.0.3:::::::*
apache	tomcat	7.0.4	cpe:2.3:a:apache:tomcat:7.0.4:::::::*
apache	tomcat	7.0.4	cpe:2.3:a:apache:tomcat:7.0.4:beta::::::
apache	tomcat	7.0.5	cpe:2.3:a:apache:tomcat:7.0.5:::::::*
apache	tomcat	7.0.6	cpe:2.3:a:apache:tomcat:7.0.6:::::::*
apache	tomcat	7.0.7	cpe:2.3:a:apache:tomcat:7.0.7:::::::*
apache	tomcat	7.0.8	cpe:2.3:a:apache:tomcat:7.0.8:::::::*
apache	tomcat	7.0.9	cpe:2.3:a:apache:tomcat:7.0.9:::::::*
apache	tomcat	7.0.10	cpe:2.3:a:apache:tomcat:7.0.10:::::::*
apache	tomcat	7.0.11	cpe:2.3:a:apache:tomcat:7.0.11:::::::*
apache	tomcat	7.0.12	cpe:2.3:a:apache:tomcat:7.0.12:::::::*
apache	tomcat	7.0.13	cpe:2.3:a:apache:tomcat:7.0.13:::::::*
apache	tomcat	7.0.14	cpe:2.3:a:apache:tomcat:7.0.14:::::::*
apache	tomcat	7.0.15	cpe:2.3:a:apache:tomcat:7.0.15:::::::*
apache	tomcat	7.0.16	cpe:2.3:a:apache:tomcat:7.0.16:::::::*
apache	tomcat	7.0.17	cpe:2.3:a:apache:tomcat:7.0.17:::::::*
apache	tomcat	7.0.18	cpe:2.3:a:apache:tomcat:7.0.18:::::::*
apache	tomcat	7.0.19	cpe:2.3:a:apache:tomcat:7.0.19:::::::*
apache	tomcat	7.0.20	cpe:2.3:a:apache:tomcat:7.0.20:::::::*
apache	tomcat	7.0.21	cpe:2.3:a:apache:tomcat:7.0.21:::::::*
apache	tomcat	7.0.22	cpe:2.3:a:apache:tomcat:7.0.22:::::::*
apache	tomcat	7.0.23	cpe:2.3:a:apache:tomcat:7.0.23:::::::*
apache	tomcat	7.0.24	cpe:2.3:a:apache:tomcat:7.0.24:::::::*
apache	tomcat	7.0.25	cpe:2.3:a:apache:tomcat:7.0.25:::::::*
apache	tomcat	7.0.26	cpe:2.3:a:apache:tomcat:7.0.26:::::::*
apache	tomcat	7.0.27	cpe:2.3:a:apache:tomcat:7.0.27:::::::*
apache	tomcat	7.0.28	cpe:2.3:a:apache:tomcat:7.0.28:::::::*
apache	tomcat	7.0.29	cpe:2.3:a:apache:tomcat:7.0.29:::::::*
apache	tomcat	7.0.30	cpe:2.3:a:apache:tomcat:7.0.30:::::::*
apache	tomcat	7.0.31	cpe:2.3:a:apache:tomcat:7.0.31:::::::*

References for CVE-2014-0227

URL	Tags
http://advisories.mageia.org/MGASA-2015-0081.html
http://archives.neohapsis.com/archives/bugtraq/2015-02/0067.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150282.html
http://marc.info/?l=bugtraq&m=143393515412274&w=2
http://marc.info/?l=bugtraq&m=143403519711434&w=2
http://rhn.redhat.com/errata/RHSA-2015-0675.html
http://rhn.redhat.com/errata/RHSA-2015-0720.html
http://rhn.redhat.com/errata/RHSA-2015-0765.html
http://rhn.redhat.com/errata/RHSA-2015-0983.html
http://rhn.redhat.com/errata/RHSA-2015-0991.html
http://svn.apache.org/viewvc?view=revision&revision=1600984
http://tomcat.apache.org/security-6.html	Vendor Advisory
http://tomcat.apache.org/security-7.html	Vendor Advisory
http://tomcat.apache.org/security-8.html	Vendor Advisory
http://www.debian.org/security/2016/dsa-3447
http://www.debian.org/security/2016/dsa-3530
http://www.mandriva.com/security/advisories?name=MDVSA-2015:052
http://www.mandriva.com/security/advisories?name=MDVSA-2015:053
http://www.mandriva.com/security/advisories?name=MDVSA-2015:084
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
http://www.securityfocus.com/bid/72717
http://www.securitytracker.com/id/1032791
http://www.ubuntu.com/usn/USN-2654-1
http://www.ubuntu.com/usn/USN-2655-1
https://bugzilla.redhat.com/show_bug.cgi?id=1109196
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
https://source.jboss.org/changelog/JBossWeb?cs=2455

URL

CVE-2014-0227

Exploit prediction scoring system (EPSS) score for CVE-2014-0227

Common vulnerability scoring system (CVSS) metrics for CVE-2014-0227

Weakness enumeration for CVE-2014-0227

GitHub Security Advisory for CVE-2014-0227

OS Trackers for CVE-2014-0227

Affected software / configurations for CVE-2014-0227

References for CVE-2014-0227