Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2023/05/22/1 | Mailing List |
https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy | Mailing List Vendor Advisory |
https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html | Third Party Advisory |
https://security.gentoo.org/glsa/202305-37 | Third Party Advisory |
https://www.debian.org/security/2023/dsa-5522 | Third Party Advisory |
http://www.openwall.com/lists/oss-security/2023/05/22/1 | Mailing List |
https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy | Mailing List Vendor Advisory |
https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html | Third Party Advisory |
https://security.gentoo.org/glsa/202305-37 | Third Party Advisory |
https://security.netapp.com/advisory/ntap-20230302-0013/ | |
https://www.debian.org/security/2023/dsa-5522 | Third Party Advisory |
Configurations
History
13 Feb 2025, 17:16
Type | Values Removed | Values Added |
---|---|---|
Summary | (en) Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured. |
21 Nov 2024, 07:48
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
References | () http://www.openwall.com/lists/oss-security/2023/05/22/1 - Mailing List | |
References | () https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy - Mailing List, Vendor Advisory | |
References | () https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html - Third Party Advisory | |
References | () https://security.gentoo.org/glsa/202305-37 - Third Party Advisory | |
References | () https://www.debian.org/security/2023/dsa-5522 - Third Party Advisory |
16 Feb 2024, 19:11
Type | Values Removed | Values Added |
---|---|---|
References | () http://www.openwall.com/lists/oss-security/2023/05/22/1 - Mailing List | |
References | () https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html - Third Party Advisory | |
References | () https://security.gentoo.org/glsa/202305-37 - Third Party Advisory | |
References | () https://www.debian.org/security/2023/dsa-5522 - Third Party Advisory | |
First Time |
Debian debian Linux
Debian |
|
CPE | cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
Information
Published : 2023-02-20 16:15
Updated : 2025-02-13 17:16
NVD link : CVE-2023-24998
Mitre link : CVE-2023-24998
CVE.ORG link : CVE-2023-24998
JSON object : View
Products Affected
debian
- debian_linux
apache
- commons_fileupload
CWE
CWE-770
Allocation of Resources Without Limits or Throttling