CVE-2023-24998

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-24998
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
http://www.openwall.com/lists/oss-security/2023/05/22/1 Mailing List
https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy Mailing List Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html Third Party Advisory
https://security.gentoo.org/glsa/202305-37 Third Party Advisory
https://www.debian.org/security/2023/dsa-5522 Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_fileupload:1.0:beta:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
History

16 Feb 2024, 19:11

Type Values Removed Values Added
References () http://www.openwall.com/lists/oss-security/2023/05/22/1 - () http://www.openwall.com/lists/oss-security/2023/05/22/1 - Mailing List
References () https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html - () https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html - Third Party Advisory
References () https://security.gentoo.org/glsa/202305-37 - () https://security.gentoo.org/glsa/202305-37 - Third Party Advisory
References () https://www.debian.org/security/2023/dsa-5522 - () https://www.debian.org/security/2023/dsa-5522 - Third Party Advisory
CPE cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
First Time Debian
Debian debian Linux

30 May 2023, 06:16

Type Values Removed Values Added
References
  • (MISC) https://security.gentoo.org/glsa/202305-37 -

22 May 2023, 15:15

Type Values Removed Values Added
Summary Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured. Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
References
  • (MISC) http://www.openwall.com/lists/oss-security/2023/05/22/1 -

01 Mar 2023, 15:09

Type Values Removed Values Added
CPE cpe:2.3:a:apache:commons_fileupload:1.0:beta:*:*:*:*:*:*
cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5
References (MISC) https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy - (MISC) https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy - Mailing List, Vendor Advisory

23 Feb 2023, 10:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-02-20 16:15

Updated : 2024-02-16 19:11

NVD link : CVE-2023-24998

Mitre link : CVE-2023-24998

CVE.ORG link : CVE-2023-24998

JSON object : View

Products Affected

debian

  • debian_linux

apache

  • commons_fileupload
CWE
CWE-770

Allocation of Resources Without Limits or Throttling