CVE-2009-0033

Description

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header.

How to fix CVE-2009-0033

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• —no fix listed

Is CVE-2009-0033 being exploited?

Moderate — EPSS is 17.5%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

• >= 4.1.0, <= 4.1.39

References (45)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2009-0033
• WEBjvn.jp/en/jp/JVN87272440/index.html
• WEBlists.apple.com/archives/security-announce/2010//Mar/msg00001.html
• WEBlists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html