CVE-2023-24998

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2023/05/22/1	Mailing List
https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy	Mailing List Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html	Third Party Advisory
https://security.gentoo.org/glsa/202305-37	Third Party Advisory
https://www.debian.org/security/2023/dsa-5522	Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/05/22/1	Mailing List
https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy	Mailing List Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html	Third Party Advisory
https://security.gentoo.org/glsa/202305-37	Third Party Advisory
https://security.netapp.com/advisory/ntap-20230302-0013/
https://www.debian.org/security/2023/dsa-5522	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:commons_fileupload::::::::
	cpe:2.3:a:apache:commons_fileupload:1.0:beta::::::

Configuration 2 (hide)

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

History

13 Feb 2025, 17:16

Type	Values Removed	Values Added
Summary	(en) Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.	(en) Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

21 Nov 2024, 07:48

Type	Values Removed	Values Added
References		() https://security.netapp.com/advisory/ntap-20230302-0013/ -
References	~~() http://www.openwall.com/lists/oss-security/2023/05/22/1 - Mailing List~~	() http://www.openwall.com/lists/oss-security/2023/05/22/1 - Mailing List
References	~~() https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy - Mailing List, Vendor Advisory~~	() https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy - Mailing List, Vendor Advisory
References	~~() https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html - Third Party Advisory~~	() https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html - Third Party Advisory
References	~~() https://security.gentoo.org/glsa/202305-37 - Third Party Advisory~~	() https://security.gentoo.org/glsa/202305-37 - Third Party Advisory
References	~~() https://www.debian.org/security/2023/dsa-5522 - Third Party Advisory~~	() https://www.debian.org/security/2023/dsa-5522 - Third Party Advisory

16 Feb 2024, 19:11

Type	Values Removed	Values Added
CPE		cpe:2.3:o:debian:debian_linux:11.0:::::::* cpe:2.3:o:debian:debian_linux:9.0:::::::*
First Time		Debian Debian debian Linux
References	~~(MISC) https://security.gentoo.org/glsa/202305-37 -~~	(MISC) https://security.gentoo.org/glsa/202305-37 - Third Party Advisory
References	~~(MISC) https://www.debian.org/security/2023/dsa-5522 -~~	(MISC) https://www.debian.org/security/2023/dsa-5522 - Third Party Advisory
References	~~(MISC) https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html -~~	(MISC) https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html - Third Party Advisory
References	~~(MISC) http://www.openwall.com/lists/oss-security/2023/05/22/1 -~~	(MISC) http://www.openwall.com/lists/oss-security/2023/05/22/1 - Mailing List

13 Oct 2023, 16:15

Type	Values Removed	Values Added
References		(MISC) https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html -

11 Oct 2023, 07:15

Type	Values Removed	Values Added
References		(MISC) https://www.debian.org/security/2023/dsa-5522 -

30 May 2023, 06:16

Type	Values Removed	Values Added
References		(MISC) https://security.gentoo.org/glsa/202305-37 -

22 May 2023, 15:15

Type	Values Removed	Values Added
References		(MISC) http://www.openwall.com/lists/oss-security/2023/05/22/1 -
Summary	Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.	Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

Information

Published : 2023-02-20 16:15

Updated : 2025-02-13 17:16

NVD link : CVE-2023-24998

Mitre link : CVE-2023-24998

CVE.ORG link : CVE-2023-24998

JSON object : View

Products Affected

apache

commons_fileupload

debian

debian_linux

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2023-24998", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-02-20T16:15:10.423", "references": [{"url": "http://www.openwall.com/lists/oss-security/2023/05/22/1", "tags": ["Mailing List"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html", "tags": ["Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://security.gentoo.org/glsa/202305-37", "tags": ["Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://www.debian.org/security/2023/dsa-5522", "tags": ["Third Party Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2023/05/22/1", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy", "tags": ["Mailing List", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/202305-37", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20230302-0013/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.debian.org/security/2023/dsa-5522", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.\n\n\n\n\nNote that, like all of the file upload limits, the\n new configuration option (FileUploadBase#setFileCountMax) is not\n enabled by default and must be explicitly configured."}], "lastModified": "2025-02-13T17:16:09.017", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7B386378-64A5-417D-9FE8-F25AE7A26459", "versionEndExcluding": "1.5", "versionStartIncluding": "1.0"}, {"criteria": "cpe:2.3:a:apache:commons_fileupload:1.0:beta:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58B413FF-EBC0-4DFA-B507-AA2A3579E349"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252"}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}

7.5 /10