Re: [SECURITY] CVE-2023-24998 Apache Commons FileUpload - DoS with excessive parts

Mon, 20 Feb 2023 08:52:21 -0800 

On 20/02/2023 16:40, Olivier Jaquemet wrote:

Hello Mark

Thank you for this advisory.

The changes report [1] of Commons FileUpload 1.5 indicates :
   "Add a configurable limit (disabled by default) for the number of files to upload per request"
Does it mean that the 1.5 is not secured by default against CVE-2023-24998, and require explicit configuration to be secured ? 

Correct.
Commons FileUpload does not enable any of the limits (individual file size, total upload size, number of files) by default. Each must be configured explicitly.
Note that when Commons FileUpload is integrated into other products, those products typically provide appropriate defaults for their use of the library. 

Kind regards,

Mark




Thanks for your help,
Olivier
[1] https://commons.apache.org/proper/commons-fileupload/changes-report.html#a1.5 

On 20/02/2023 16:55, Mark Thomas wrote:

CVE-2023-24998 Apache Commons FileUpload - DoS with excessive parts

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Commons FileUpload 1.0-beta-1 to 1.4

Description:
Apache Commons FileUpload before 1.5 does not limit the number of
request parts to be processed resulting in the possibility of an
attacker triggering a DoS with a malicious upload or series of uploads.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Commons FileUpload 1.5 or later

Credit:
This issue was identified by Jakob Ackermann and reported responsibly to
the Apache Commons Security Team.

History:
2023-02-20 Original advisory

References:
[1]
https://commons.apache.org/proper/commons-fileupload/security-reports.html


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org
EXTERNAL SENDER: Do not click any links or open any attachments unless you trust the sender and know the content is safe. EXPÉDITEUR EXTERNE: Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe à moins qu’ils ne proviennent d’un expéditeur fiable, ou que vous ayez l'assurance que le contenu provient d'une source sûre. 

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org

Reply via email to