CVE-2023-24998 — Allocation of Resources Without Limits or Throttling in Software Foundation Apache Commons Fileupload
Severity
7.5HIGHNVD
EPSS
36.4%
top 2.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedFeb 20
Latest updateApr 15
Description
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages3 packages
Also affects: Debian Linux 11.0, 9.0
🔴Vulnerability Details
9OSV
▶
GHSA
▶
📋Vendor Advisories
15Oracle▶
Oracle Oracle Analytics Risk Matrix: Development Operations (Apache Commons FileUpload) — CVE-2023-24998↗2025-04-15
Oracle▶
Oracle Oracle Analytics Risk Matrix: Analytics Server (Apache Commons FileUpload) — CVE-2023-24998↗2025-01-15
Oracle▶
Oracle Oracle Commerce Risk Matrix: Workbench (Apache Commons FileUpload) — CVE-2023-24998↗2024-07-15
Oracle▶
Oracle Oracle Supply Chain Risk Matrix: Install (Apache Commons FileUpload) — CVE-2023-24998↗2024-04-15
Oracle▶
Oracle Oracle Financial Services Applications Risk Matrix: Reports (Apache Commons FileUpload) — CVE-2023-24998↗2024-01-15