[SECURITY] CVE-2023-24998 Apache Tomcat - FileUpload DoS with excessive parts
Re-sending with corrected credit CVE-2023-24998 Apache Tomcat - FileUpload DoS with excessive parts Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 Apache Tomcat 10.1.0-M1 to 10.1.4 Apache Tomcat 9.0.0-M1 to 9.0.70 Apache Tomcat 8.5.0 to 8.5.84 Description: Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification. Apache Tomcat was, therefore, also vulnerable to the Apache Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to the number of request parts processed. This resulted in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M3 or later when released - Upgrade to Apache Tomcat 10.1.5 or later - Upgrade to Apache Tomcat 9.0.71 or later - Upgrade to Apache Tomcat 8.5.85 or later - Note 11.0.0-M2 was not released Credit: This issue was identified by Jakob Ackermann History: 2023-01-03 Original advisory 2023-01-03 Corrected credit References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html
[SECURITY] CVE-2023-24998 Apache Tomcat - FileUpload DoS with excessive parts
CVE-2023-24998 Apache Tomcat - FileUpload DoS with excessive parts Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 Apache Tomcat 10.1.0-M1 to 10.1.4 Apache Tomcat 9.0.0-M1 to 9.0.70 Apache Tomcat 8.5.0 to 8.5.84 Description: Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification. Apache Tomcat was, therefore, also vulnerable to the Apache Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to the number of request parts processed. This resulted in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M3 or later when released - Upgrade to Apache Tomcat 10.1.5 or later - Upgrade to Apache Tomcat 9.0.71 or later - Upgrade to Apache Tomcat 8.5.85 or later - Note 11.0.0-M2 was not released Credit: This issue was identified by the Apache Tomcat security team. History: 2023-01-03 Original advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html