Hello Mark
Thank you for this advisory.
The changes report [1] of Commons FileUpload 1.5 indicates :
"Add a configurable limit (disabled by default) for the number of
files to upload per request"
Does it mean that the 1.5 is not secured by default against
CVE-2023-24998, and require explicit configuration to be secured ?
Thanks for your help,
Olivier
[1]
https://commons.apache.org/proper/commons-fileupload/changes-report.html#a1.5
On 20/02/2023 16:55, Mark Thomas wrote:
CVE-2023-24998 Apache Commons FileUpload - DoS with excessive parts
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Commons FileUpload 1.0-beta-1 to 1.4
Description:
Apache Commons FileUpload before 1.5 does not limit the number of
request parts to be processed resulting in the possibility of an
attacker triggering a DoS with a malicious upload or series of uploads.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Commons FileUpload 1.5 or later
Credit:
This issue was identified by Jakob Ackermann and reported responsibly to
the Apache Commons Security Team.
History:
2023-02-20 Original advisory
References:
[1]
https://commons.apache.org/proper/commons-fileupload/security-reports.html
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org
EXTERNAL SENDER: Do not click any links or open any attachments unless
you trust the sender and know the content is safe.
EXPÉDITEUR EXTERNE: Ne cliquez sur aucun lien et n’ouvrez aucune pièce
jointe à moins qu’ils ne proviennent d’un expéditeur fiable, ou que
vous ayez l'assurance que le contenu provient d'une source sûre.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org
