CVE-2011-4858

Apache Tomcat < 5.5.35, 6.x < 6.0.35, 7.x < 7.0.23 - Denial of Service via Hash Collision in Form Parameters

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2011-4858. PoCs published by Alexander Klink, Julian Waelde, Scott A. Crosby, Dan S. Wallach, Krzysztof Kotowicz, Christian Mehlmauer, including Metasploit module auxiliary/dos/http/hashcollision_dos.

AI-analyzed exploit summary This Metasploit module exploits a denial-of-service (DoS) vulnerability in PHP and Java web servers by generating a large number of colliding hash values in POST parameters, causing excessive CPU consumption. It includes payload generation for both PHP and Java hash functions and sends multiple HTTP requests to the target.

Description

Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

Exploits (2)

metasploit WORKING POC

by Alexander Klink, Julian Waelde, Scott A. Crosby, Dan S. Wallach, Krzysztof Kotowicz, Christian Mehlmauer · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/http/hashcollision_dos.rb

View Code ZIP pw:eip

This Metasploit module exploits a denial-of-service (DoS) vulnerability in PHP and Java web servers by generating a large number of colliding hash values in POST parameters, causing excessive CPU consumption. It includes payload generation for both PHP and Java hash functions and sends multiple HTTP requests to the target.

Classification

Working Poc 100%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: PHP and Java web servers (e.g., Apache with PHP, Tomcat, Glassfish, Geronimo)

No auth needed

Prerequisites: Network access to the target web server

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Jun 05, 2026 Full analysis →

exploitdb WORKING POC

phpwebappsphp

https://www.exploit-db.com/exploits/2012

View Code ZIP pw:eip

This exploit demonstrates a SQL injection vulnerability in MyBulletinBoard (MyBB) <= 1.1.5 via the 'CLIENT-IP' HTTP header. It retrieves the admin's login key through blind SQL injection and creates a new admin user by leveraging the stolen session.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: MyBulletinBoard (MyBB) <= 1.1.5

No auth needed

Prerequisites: Target must be running MyBB <= 1.1.5 · Network access to the target

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (26)

Core 26

Core References

Various Sources x_refsource_misc

http://www.nruns.com/_downloads/advisory28122011.pdf

Various Sources mailing-list x_refsource_mlist

http://mail-archives.apache.org/mod_mbox/tomcat-announce/201112.mbox/%3c4EFB9800.5010106%40apache.org%3e

Various Sources x_refsource_misc

http://www.ocert.org/advisories/ocert-2011-003.html

Various Sources x_refsource_misc

https://github.com/FireFart/HashCollision-DOS-POC/blob/master/HashtablePOC.py

View Exploit ZIP pw:eip

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2012/dsa-2401

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2012-0325.html

Mailing List vendor-advisory x_refsource_hp

http://marc.info/?l=bugtraq&m=136485229118404&w=2

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2012-0078.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/51200

Issue Tracking x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=750521

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/48791

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18886

Various Sources x_refsource_confirm

http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2012-0075.html

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2012-0074.html

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/48549

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2012-0089.html

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/54971

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/48790

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/55115

US Government Resource third-party-advisory x_refsource_cert-vn

http://www.kb.cert.org/vuls/id/903934

Mailing List vendor-advisory x_refsource_hp

http://marc.info/?l=bugtraq&m=133294394108746&w=2

Mailing List vendor-advisory x_refsource_hp

http://marc.info/?l=bugtraq&m=132871655717248&w=2

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2012-0406.html

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2012-0076.html

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2012-0077.html

Scores

EPSS 0.7660

EPSS Percentile 99.0%

Details

CWE

CWE-399

Status published

Products (50)

apache/tomcat 5.5.35

apache/tomcat 6.0.0

apache/tomcat 6.0.1

apache/tomcat 6.0.2

apache/tomcat 6.0.3

apache/tomcat 6.0.4

apache/tomcat 6.0.5

apache/tomcat 6.0.6

apache/tomcat 6.0.7

apache/tomcat 6.0.8

... and 40 more

Published Jan 05, 2012

Tracked Since Feb 18, 2026