Veracode Vulnerability DatabaseVERACODE:12184Denial Of Service (DoS)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
commons-fileupload is vulnerable to denial of service attacks. The vulnerability can be triggered because the HTTP server does not properly filter the file upload requests which has the size of MIME boundary close to the size of the buffer in MultipartStream.
References
jvn.jp/en/jp/JVN89379547/index.html
jvndb.jvn.jp/jvndb/JVNDB-2016-000121
lists.opensuse.org/opensuse-updates/2016-09/msg00025.html
mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E
rhn.redhat.com/errata/RHSA-2016-2068.html
rhn.redhat.com/errata/RHSA-2016-2069.html
rhn.redhat.com/errata/RHSA-2016-2070.html
rhn.redhat.com/errata/RHSA-2016-2071.html
rhn.redhat.com/errata/RHSA-2016-2072.html
rhn.redhat.com/errata/RHSA-2016-2599.html
rhn.redhat.com/errata/RHSA-2016-2807.html
rhn.redhat.com/errata/RHSA-2016-2808.html
rhn.redhat.com/errata/RHSA-2017-0457.html
svn.apache.org/viewvc?view=revision&revision=1743480
svn.apache.org/viewvc?view=revision&revision=1743722
svn.apache.org/viewvc?view=revision&revision=1743738
svn.apache.org/viewvc?view=revision&revision=1743742
tomcat.apache.org/security-7.html
tomcat.apache.org/security-8.html
tomcat.apache.org/security-9.html
www.debian.org/security/2016/dsa-3609
www.debian.org/security/2016/dsa-3611
www.debian.org/security/2016/dsa-3614
www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
www.securityfocus.com/bid/91453
www.securitytracker.com/id/1036427
www.securitytracker.com/id/1036900
www.securitytracker.com/id/1037029
www.securitytracker.com/id/1039606
www.ubuntu.com/usn/USN-3024-1
www.ubuntu.com/usn/USN-3027-1
access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html
access.redhat.com/errata/RHSA-2017:0455
access.redhat.com/errata/RHSA-2017:0456
access.redhat.com/security/updates/classification/#moderate
bugzilla.redhat.com/show_bug.cgi?id=1349468
bugzilla.redhat.com/show_bug.cgi?id=1375626
bugzilla.redhat.com/show_bug.cgi?id=1376066
bugzilla.redhat.com/show_bug.cgi?id=1376186
h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371
h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840
h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759
lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
rhn.redhat.com/errata/RHSA-2016-2070.html
security.gentoo.org/glsa/201705-09
security.netapp.com/advisory/ntap-20190212-0001/
www.oracle.com/security-alerts/cpuapr2020.html
www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C