Vulnerabilities > CVE-2023-24998
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
Vulnerable Configurations
References
- http://www.openwall.com/lists/oss-security/2023/05/22/1
- http://www.openwall.com/lists/oss-security/2023/05/22/1
- https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy
- https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy
- https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
- https://security.gentoo.org/glsa/202305-37
- https://security.gentoo.org/glsa/202305-37
- https://security.netapp.com/advisory/ntap-20230302-0013/
- https://www.debian.org/security/2023/dsa-5522
- https://www.debian.org/security/2023/dsa-5522