cbcvebase.
CVE-2023-24998
published 2023-02-20

CVE-2023-24998: Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS…

high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

Affected

35 ranges· showing 25
VendorProductVersion rangeFixed in
apachecommons_fileupload
apachecommons_fileupload>= 1.0 < 1.51.5
apachetomcat
apachetomcat
apachetomcat10.1.5 – 10.1.7
apachetomcat8.5.85 – 8.5.87
apachetomcat9.0.71 – 9.0.73
apache_software_foundationapache_tomcat10.1.5 – 10.1.7
apache_software_foundationapache_tomcat11.0.0-M2 – 11.0.0-M4
apache_software_foundationapache_tomcat8.5.85 – 8.5.87
apache_software_foundationapache_tomcat9.0.71 – 9.0.73
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianlibcommons-fileupload-java< libcommons-fileupload-java 1.4-2 (bookworm)libcommons-fileupload-java 1.4-2 (bookworm)
debiantomcat10< libcommons-fileupload-java 1.4-2 (bookworm)libcommons-fileupload-java 1.4-2 (bookworm)
debiantomcat10< tomcat10 10.1.6-1+deb12u1 (bookworm)tomcat10 10.1.6-1+deb12u1 (bookworm)
debiantomcat9< libcommons-fileupload-java 1.4-2 (bookworm)libcommons-fileupload-java 1.4-2 (bookworm)
debiantomcat9< tomcat10 10.1.6-1+deb12u1 (bookworm)tomcat10 10.1.6-1+deb12u1 (bookworm)
jenkinsdue_to_how_jenkins_community_update_sites_serve_plugin
jenkinsjenkins< 2.375.42.375.4
jenkinsjenkins< 2.3942.394
jenkinsjenkins_community_update_sites_no_longer_publish_plugin
jenkinsjenkins_core
jenkinsjenkins_core_version_on_plugin

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH