Seal Security

CVE-2023-24998

Apache Commons FileUpload denial of service vulnerability

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading

Vulnerability Details

Score

7.5

Score Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Versions

commons-fileupload:commons-fileupload < 1.5; org.apache.tomcat:tomcat-coyote >= 10.1.0-M1 < 10.1.5; org.apache.tomcat:tomcat-coyote >= 11.0.0-M2 < 11.0.0-M5; org.apache.tomcat:tomcat-coyote >= 8.5.85 < 8.5.88; org.apache.tomcat:tomcat-coyote >= 9.0.0-M1 < 9.0.71; org.apache.tomcat.embed:tomcat-embed-core >= 10.1.0-M1 < 10.1.5; org.apache.tomcat.embed:tomcat-embed-core >= 11.0.0-M2 < 11.0.0-M5; org.apache.tomcat.embed:tomcat-embed-core >= 8.5.85 < 8.5.88; org.apache.tomcat.embed:tomcat-embed-core >= 9.0.0-M1 < 9.0.71

Severity

High

Ecosystem

Publish Date

February 20, 2023

Modified Date

February 13, 2025