Thanks Mark -----Original Message----- From: Mark Thomas <ma...@apache.org> Sent: Thursday, March 16, 2023 2:34 PM To: users@tomcat.apache.org Subject: Re: CVE-2023-24998 : Apache Denial of Service
On 16/03/2023 05:33, S Abirami wrote: > Hi All, > > Currently, In our product we are using 9.0.65 version of Tomcat. > We are not using FileUpload option in any of our application and in Servlet. > We don't have any config to limit the file uploads also. > > Whether our attacker still able to perform a malicious upload to our server > via url. > Please let me know you input regarding this CVE-2023-24998 vulnerability. > Whether our application is vulnerable (or) not. If the application has not enabled Tomcat's built-in support for processing request bodies with content type "multipart/form-data" then the application is not exposed to CVE-2023-24998. Applications enable this support via the "@MultipartConfig" annotation and/or the "multipart-config" element in web.xml Note that any frameworks you may be using may enable this processing. Check the documentation for the framework. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
