CVE-2023-24998

Apache Commons FileUpload, Apache Tomcat: FileUpload DoS with excessive parts

Description

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

References

Link	Tags
https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy	vendor advisory mailing list
http://www.openwall.com/lists/oss-security/2023/05/22/1	mailing list
https://security.gentoo.org/glsa/202305-37	third party advisory
https://www.debian.org/security/2023/dsa-5522	third party advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html	third party advisory
https://security.netapp.com/advisory/ntap-20230302-0013/

Frequently Asked Questions

What is the severity of CVE-2023-24998?: CVE-2023-24998 has been scored as a high severity vulnerability.
How to fix CVE-2023-24998?: To fix CVE-2023-24998, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-24998 being actively exploited in the wild?: It is possible that CVE-2023-24998 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~41% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-24998?: CVE-2023-24998 affects Apache Software Foundation Apache Commons FileUpload, Apache Software Foundation Apache Tomcat.

Description

Category

CWE-770 – Allocation of Resources Without Limits or Throttling

References

Frequently Asked Questions