CVE-2023-24998

Summary

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.

Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Commons FileUpload0 < 1.5affected
Apache Software FoundationApache Tomcat11.0.0-M1affected
Apache Software FoundationApache Tomcat10.0.0-M1 <= 10.1.4affected
Apache Software FoundationApache Tomcat9.0.0-M1 <= 9.0.70affected
Apache Software FoundationApache Tomcat8.5.0 <= 8.5.84affected

Weaknesses

  • CWE-770: CWE-770 Allocation of Resources Without Limits or Throttling

ADP Enrichment

CVE Program Container

Additional References

References