[
https://issues.apache.org/jira/browse/MYFACES-4677?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17871758#comment-17871758
]
Himanshu Gupta edited comment on MYFACES-4677 at 8/7/24 6:38 PM:
-----------------------------------------------------------------
Tomahawk needs to upgrade the compile time dependency commons FileUpload to 1.5
and provide a way to set FileUploadBase#setFileCountMax to a value.
was (Author: JIRAUSER306482):
Upgrade to upgrade the compile time dependency commons FileUpload to 1.5 and
provide a way to set FileUploadBase#setFileCountMax to a value.
> Security Vulnerability Apache commons-fileupload
> -------------------------------------------------
>
> Key: MYFACES-4677
> URL: https://issues.apache.org/jira/browse/MYFACES-4677
> Project: MyFaces Core
> Issue Type: Improvement
> Components: build process
> Reporter: Himanshu Gupta
> Priority: Critical
> Original Estimate: 504h
> Remaining Estimate: 504h
>
> Apache Commons FileUpload before 1.5 does not limit the number of request
> parts to be processed resulting in the possibility of an attacker triggering
> a DoS with a malicious upload or series of uploads. Note that, like all of
> the file upload limits, the new configuration option
> (FileUploadBase#setFileCountMax) is not enabled by default and must be
> explicitly configured. : [https://nvd.nist.gov/vuln/detail/CVE-2023-24998]
> Upgrade to FileUpload 1.5 and provide a way to set
> FileUploadBase#setFileCountMax to a value.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
