Vulnerability

CVE-2023-24998

 Report advisory or correction

CVSS Score 7.5 high

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770

References

https://github.com/apache/commons-fileupload/commit/0a306f75949f2e9f5f92c400cad39d20117a2eb0
https://github.com/apache/commons-fileupload/pull/185
https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy
https://tomcat.apache.org/security-10.html
https://tomcat.apache.org/security-11.html
https://tomcat.apache.org/security-8.html
https://tomcat.apache.org/security-9.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24998

[CVE-2023-24998] CWE-770: Allocation of Resources Without Limits or Throttling

Description

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

Deviation Notice:
Sonatype's research suggests that this CVE's details differ from those defined at NVD or other reporting sources; sign in for details.

Sign up and see:

Detailed deviation notices:
  • Detailed deviations
  • References
  • Custom Descriptions [Coming Soon]
Sign Up
See commons-fileupload/commons-fileupload package information