CVE-2023-24998

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.




Note that, like all of the file upload limits, the
          new configuration option (FileUploadBase#setFileCountMax) is not
          enabled by default and must be explicitly configured.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 97%
VendorProductVersion
apachecommons_fileupload
1.0 ≤
𝑥
< 1.5
apachecommons_fileupload
1.0:beta
debiandebian_linux
9.0
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libcommons-fileupload-java
bullseye
no-dsa
buster
no-dsa
bookworm
1.4-2
fixed
trixie
1.5-1
fixed
sid
1.5-1
fixed
tomcat10
bookworm
10.1.6-1+deb12u2
fixed
bookworm (security)
10.1.6-1+deb12u2
fixed
bullseye
no-dsa
buster
no-dsa
trixie
10.1.34-1
fixed
sid
10.1.34-1
fixed
tomcat9
bullseye (security)
9.0.43-2~deb11u10
fixed
bullseye
9.0.43-2~deb11u10
no-dsa
buster
no-dsa
bookworm
9.0.70-2
fixed
trixie
9.0.95-1
fixed
sid
9.0.95-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libcommons-fileupload-java
oracular
needs-triage
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
ignored
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2023/05/22/1
https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy
https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
https://security.gentoo.org/glsa/202305-37
https://www.debian.org/security/2023/dsa-5522
http://www.openwall.com/lists/oss-security/2023/05/22/1
https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy
https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html
https://security.gentoo.org/glsa/202305-37
https://security.netapp.com/advisory/ntap-20230302-0013/
https://security.netapp.com/advisory/ntap-20241108-0002/
https://www.debian.org/security/2023/dsa-5522