[ https://issues.apache.org/jira/browse/TOMEE-4187?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Richard Zowalla closed TOMEE-4187. ---------------------------------- Fix Version/s: (was: 10.0.0-M1) (was: 8.0.15) (was: 9.1.0) Resolution: Fixed > Commons FileUpload 1.5 > ---------------------- > > Key: TOMEE-4187 > URL: https://issues.apache.org/jira/browse/TOMEE-4187 > Project: TomEE > Issue Type: Dependency upgrade > Affects Versions: 8.0.14, 9.0.0 > Reporter: Richard Zowalla > Assignee: Richard Zowalla > Priority: Major > Labels: CVE > Fix For: 10.0.0 > > > Versions Affected: > Apache Commons FileUpload 1.0-beta-1 to 1.4 > Description: > Apache Commons FileUpload before 1.5 does not limit the number of > request parts to be processed resulting in the possibility of an > attacker triggering a DoS with a malicious upload or series of uploads. > Mitigation: > Users of the affected versions should apply one of the following > mitigations: > - Upgrade to Apache Commons FileUpload 1.5 or later > Credit: > This issue was identified by Jakob Ackermann and reported responsibly to > the Apache Commons Security Team. > History: > 2023-02-20 Original advisory -- This message was sent by Atlassian Jira (v8.20.10#820010)