The Apache Commons FileUpload component can be used to add a file upload
capability to your applications.
A flaw was found in the way the DiskFileItem class handled NULL characters
in file names. A remote attacker able to supply a serialized instance of
the DiskFileItem class, which will be deserialized on a server, could use
this flaw to write arbitrary content to any location on the server that is
accessible to the user running the application server process.
(CVE-2013-2186)
All users of the affected products as provided from the Red Hat Customer
Portal are advised to apply this update.