Apache Commons FileUpload denial of service vulnerability
High severity
GitHub Reviewed
Published
Feb 20, 2023
to the GitHub Advisory Database
•
Updated Apr 18, 2024
>= 10.1.0-M1, < 10.1.5
>= 11.0.0-M2, < 11.0.0-M5
>= 8.5.85, < 8.5.88
>= 9.0.0-M1, < 9.0.71
10.1.5
11.0.0-M5
8.5.88
9.0.71
>= 10.1.0-M1, < 10.1.5
>= 11.0.0-M2, < 11.0.0-M5
>= 8.5.85, < 8.5.88
>= 9.0.0-M1, < 9.0.71
10.1.5
11.0.0-M5
8.5.88
9.0.71
Description
Published by the National Vulnerability Database
Feb 20, 2023
Published to the GitHub Advisory Database
Feb 20, 2023
Reviewed
Feb 22, 2023
Last updated
Apr 18, 2024
Credits
-
sunSUNQ Analyst
-
westonsteimel Analyst
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
References