Apache Commons FileUpload denial of service vulnerability

GHSA-hfrx-6qgj-fp6c · CVE-2023-24998

Published Feb 20, 2023 · Modified Feb 4, 2026

Description

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

References

7.5 / 10

HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Packages

Maven/commons-fileupload:commons-fileupload

Fix 1.5

Introduced 0

15 affected versions

1.01.0-beta-11.0-rc11.11.1.11.21.2.11.2.21.31.3.11.3.1-jenkins-11.3.1-jenkins-21.3.21.3.31.4

Maven/org.apache.tomcat.embed:tomcat-embed-core

Fix 10.1.5, 11.0.0-M5, 8.5.88, 9.0.71

Introduced 10.1.0-M1, 11.0.0-M2, 8.5.85, 9.0.0-M1

97 affected versions

10.1.010.1.0-M110.1.0-M1010.1.0-M1110.1.0-M1210.1.0-M1410.1.0-M1510.1.0-M1610.1.0-M1710.1.0-M210.1.0-M410.1.0-M510.1.0-M610.1.0-M710.1.0-M810.1.110.1.210.1.411.0.0-M311.0.0-M4 +77 more

Maven/org.apache.tomcat:tomcat-coyote

Fix 10.1.5, 11.0.0-M5, 8.5.88, 9.0.71

Introduced 10.1.0-M1, 11.0.0-M2, 8.5.85, 9.0.0-M1

97 affected versions

10.1.010.1.0-M110.1.0-M1010.1.0-M1110.1.0-M1210.1.0-M1410.1.0-M1510.1.0-M1610.1.0-M1710.1.0-M210.1.0-M410.1.0-M510.1.0-M610.1.0-M710.1.0-M810.1.110.1.210.1.411.0.0-M311.0.0-M4 +77 more

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes