CVE-2023-24998 – commons-fileupload:commons-fileupload

Package

Manager: maven
Name: commons-fileupload:commons-fileupload
Vulnerable Version: >=0 <1.5

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.41119 pctl0.97301

Details

Apache Commons FileUpload denial of service vulnerability Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

Metadata

Created: 2023-02-20T18:30:17Z
Modified: 2025-02-13T18:41:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json
CWE IDs: ["CWE-770"]
Alternative ID: GHSA-hfrx-6qgj-fp6c
Finding: F029
Auto approve: 1