CVE-2023-24998 - OpenCVE

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Commons Fileupload
Debian	Debian Linux

Configuration 1 [-]

OR	cpe:2.3:a:apache:commons_fileupload::::::::
	cpe:2.3:a:apache:commons_fileupload:1.0:beta::::::

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2023/05/22/1	Mailing List
https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy	Mailing List Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html	Third Party Advisory
https://security.gentoo.org/glsa/202305-37	Third Party Advisory
https://www.debian.org/security/2023/dsa-5522	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2023-02-20T15:57:07.372Z

Updated: 2023-02-23T09:34:44.714Z

Reserved: 2023-02-01T10:32:05.492Z

Link: CVE-2023-24998

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-02-20T16:15:10.423

Modified: 2024-02-16T19:11:10.163

Link: CVE-2023-24998

JSON object: View

Redhat Information

No data.

CWE

CWE-770

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-24998", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-02-01T10:32:05.492Z", "datePublished": "2023-02-20T15:57:07.372Z", "dateUpdated": "2023-02-23T09:34:44.714Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Commons FileUpload", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "1.5", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "11.0.0-M1"}, {"lessThanOrEqual": "10.1.4", "status": "affected", "version": "10.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "9.0.70", "status": "affected", "version": "9.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "8.5.84", "status": "affected", "version": "8.5.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jakob Ackermann"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.</div><div><br></div><div>Note that, like all of the file upload limits, the\n new configuration option (FileUploadBase#setFileCountMax) is not\n enabled by default and must be explicitly configured.<br></div>"}], "value": "Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.\n\n\n\n\nNote that, like all of the file upload limits, the\n new configuration option (FileUploadBase#setFileCountMax) is not\n enabled by default and must be explicitly configured.\n\n\n"}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-02-23T09:34:44.714Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy"}, {"url": "http://www.openwall.com/lists/oss-security/2023/05/22/1"}, {"url": "https://security.gentoo.org/glsa/202305-37"}, {"url": "https://www.debian.org/security/2023/dsa-5522"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Commons FileUpload, Apache Tomcat: FileUpload DoS with excessive parts", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*", "matchCriteriaId": "7B386378-64A5-417D-9FE8-F25AE7A26459", "versionEndExcluding": "1.5", "versionStartIncluding": "1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:commons_fileupload:1.0:beta:*:*:*:*:*:*", "matchCriteriaId": "58B413FF-EBC0-4DFA-B507-AA2A3579E349", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.\n\n\n\n\nNote that, like all of the file upload limits, the\n new configuration option (FileUploadBase#setFileCountMax) is not\n enabled by default and must be explicitly configured.\n\n\n"}], "id": "CVE-2023-24998", "lastModified": "2024-02-16T19:11:10.163", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-20T16:15:10.423", "references": [{"source": "security@apache.org", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2023/05/22/1"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202305-37"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5522"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security@apache.org", "type": "Primary"}]}