Lucene search

K
cveApacheCVE-2023-24998
HistoryFeb 20, 2023 - 4:15 p.m.

CVE-2023-24998

2023-02-2016:15:10
CWE-770
apache
web.nvd.nist.gov
437
cve-2023-24998
apache
commons
fileupload
dos
nvd
security
vulnerability

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.7

Confidence

High

EPSS

0.026

Percentile

90.5%

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.

Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.

Affected configurations

Nvd
Vulners
Node
apachecommons_fileuploadRange1.01.5
OR
apachecommons_fileuploadMatch1.0beta
Node
debiandebian_linuxMatch9.0
OR
debiandebian_linuxMatch11.0
VendorProductVersionCPE
apachecommons_fileupload*cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*
apachecommons_fileupload1.0cpe:2.3:a:apache:commons_fileupload:1.0:beta:*:*:*:*:*:*
debiandebian_linux9.0cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
debiandebian_linux11.0cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Commons FileUpload",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "1.5",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Apache Tomcat",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "11.0.0-M1"
      },
      {
        "lessThanOrEqual": "10.1.4",
        "status": "affected",
        "version": "10.0.0-M1",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "9.0.70",
        "status": "affected",
        "version": "9.0.0-M1",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "8.5.84",
        "status": "affected",
        "version": "8.5.0",
        "versionType": "semver"
      }
    ]
  }
]

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.7

Confidence

High

EPSS

0.026

Percentile

90.5%