On 16/03/2023 05:33, S Abirami wrote:
Hi All,
Currently, In our product we are using 9.0.65 version of Tomcat.
We are not using FileUpload option in any of our application and in Servlet.
We don't have any config to limit the file uploads also.
Whether our attacker still able to perform a malicious upload to our server via
url.
Please let me know you input regarding this CVE-2023-24998 vulnerability.
Whether our application is vulnerable (or) not.
If the application has not enabled Tomcat's built-in support for
processing request bodies with content type "multipart/form-data" then
the application is not exposed to CVE-2023-24998.
Applications enable this support via the "@MultipartConfig" annotation
and/or the "multipart-config" element in web.xml
Note that any frameworks you may be using may enable this processing.
Check the documentation for the framework.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
