CVE-2023-24998 Apache Commons FileUpload, Apache Tomcat: FileUpload DoS with excessive parts

2023-02-2015:57:07

CWE-770

apache

www.cve.org

cve-2023-24998

apache commons fileupload

apache tomcat

file upload

denial of service

excessive parts

7.9 High

AI Score

Confidence

High

0.034 Low

EPSS

Percentile

91.4%

JSON

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.

Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Commons FileUpload",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "1.5",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Apache Tomcat",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "11.0.0-M1"
      },
      {
        "lessThanOrEqual": "10.1.4",
        "status": "affected",
        "version": "10.0.0-M1",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "9.0.70",
        "status": "affected",
        "version": "9.0.0-M1",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "8.5.84",
        "status": "affected",
        "version": "8.5.0",
        "versionType": "semver"
      }
    ]
  }
]