7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.166 Low
EPSS
Percentile
95.9%
Apache Commons FileUpload provided by Apache Software Foundation contains an issue in processing a multi-part request, which may cause the process to be in an infinite loop.
As of 2014 February 12, an exploit tool to attack against this vulnerability has been confirmed.
Processing a malformed request may cause the condition that the target system does not respond.
Update the Software
Update to the latest version that contains a fix fot this vulnerability:
Apache Struts 2.3.16.1
Apply the Patch
In the developer’s repository, the respective source code that contains a fix for this vulnerability has been released.
Apache Commons FileUpload: <http://svn.apache.org/r1565143>
Apache Tomcat 8: <http://svn.apache.org/r1565163>
Apache Tomcat 7: <http://svn.apache.org/r1565169>
Workaround
Applying the following workaround may mitigate the effect of this vulnerability.
Limit the Content-Type header size less than 4091 bytes
For more information, please refer to the developer’s site.
The developer also states that Apache Commons FileUpload is widely used for multiple Apache products, therefore, multiple Apache products other than Apache Tomcat may be affected by this vulnerability.
According to the developer, the following products may be affected.