Apache Commons FileUpload - DoS with excessive parts

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured. See CWE-770: Allocation of Resources Without Limits or Throttling Affected products and mitigation Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Mitigation Vaadin 10.0.0 - 10.0.21 Upgrade to 10.0.22 (Vaadin extended maintenance starting from June 2023) Vaadin 11.0.0 - 14.9.6 Upgrade to 14.9.7 or newer Vaadin 15.0.0 - 22.0.28 Upgrade to 22.1.0 (Vaadin extended maintenance starting from March 2023) Vaadin 23.0.0 - 23.3.7 Upgrade to 23.3.8 or newer Please note that Vaadin versions 11-13 and 15-22.0 are no longer supported and you should update either to the latest 14, 22.1, 23, 24 version. Artifacts Maven coordinates Vulnerable version Fixed version com.vaadin:flow-server 1.0.0 - 1.0.17 ≥1.0.18 com.vaadin:flow-server 1.1.0 - 2.8.5 ≥2.8.6 com.vaadin:flow-server 3.0.0 - 9.0.26 ≥9.1.0 com.vaadin:flow-server 23.0.0 - 23.3.4 ≥23.3.5 com.vaadin:flow-server 24.0.0.alpha1 - 24.0.rc3 ≥24.0.0 References Original CVE: nvd.nist.gov/vuln/detail/CVE-2023-24998 Vendor advisory: lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy