CVE-2023-24998

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.




Note that, like all of the file upload limits, the
          new configuration option (FileUploadBase#setFileCountMax) is not
          enabled by default and must be explicitly configured.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 97%
Affected Products (NVD)
VendorProductVersion
apachecommons_fileupload
1.0 ≤
𝑥
< 1.5
apachecommons_fileupload
1.0:beta
debiandebian_linux
9.0
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libcommons-fileupload-java
bookworm
1.4-2
fixed
bullseye
no-dsa
buster
no-dsa
sid
1.5-1
fixed
trixie
1.5-1
fixed
tomcat10
bookworm
10.1.6-1+deb12u2
fixed
bookworm (security)
10.1.6-1+deb12u2
fixed
bullseye
no-dsa
buster
no-dsa
sid
10.1.34-1
fixed
trixie
10.1.34-1
fixed
tomcat9
bookworm
9.0.70-2
fixed
bullseye
9.0.43-2~deb11u10
no-dsa
bullseye (security)
9.0.43-2~deb11u10
fixed
buster
no-dsa
sid
9.0.95-1
fixed
trixie
9.0.95-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libcommons-fileupload-java
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
oracular
needs-triage
trusty
ignored
xenial
needs-triage
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
apache-commons-fileupload
suse enterprise sap 15 SP2
1.5-150200.3.9.1
fixed
suse enterprise sap 15 SP3
1.5-150200.3.9.1
fixed
suse enterprise sap 15 SP4
1.5-150200.3.9.1
fixed
suse enterprise sap 15 SP5
1.5-150200.3.9.1
fixed
suse enterprise sap 15 SP6
1.5-150200.3.9.1
fixed
suse enterprise sap 15 SP7
1.5-150200.3.9.1
fixed
suse enterprise server 15 SP2
1.5-150200.3.9.1
fixed
suse enterprise server 15 SP3
1.5-150200.3.9.1
fixed
suse enterprise server 15 SP4
1.5-150200.3.9.1
fixed
suse enterprise server 15 SP5
1.5-150200.3.9.1
fixed
suse enterprise server 15 SP6
1.5-150200.3.9.1
fixed
suse enterprise server 15 SP7
1.5-150200.3.9.1
fixed
jakarta-commons-fileupload
suse enterprise sap 12 SP4
1.1.1-122.8.1
fixed
suse enterprise sap 12 SP5
1.1.1-122.8.1
fixed
suse enterprise sap 15 SP1
1.1.1-150000.4.8.1
fixed
suse enterprise server 12 SP2
1.1.1-122.8.1
fixed
suse enterprise server 12 SP3
1.1.1-122.8.1
fixed
suse enterprise server 12 SP4
1.1.1-122.8.1
fixed
suse enterprise server 12 SP5
1.1.1-122.8.1
fixed
suse enterprise server 15 SP1
1.1.1-150000.4.8.1
fixed
jakarta-commons-fileupload-javadoc
suse enterprise sap 12 SP4
1.1.1-122.8.1
fixed
suse enterprise sap 12 SP5
1.1.1-122.8.1
fixed
suse enterprise server 12 SP2
1.1.1-122.8.1
fixed
suse enterprise server 12 SP3
1.1.1-122.8.1
fixed
suse enterprise server 12 SP4
1.1.1-122.8.1
fixed
suse enterprise server 12 SP5
1.1.1-122.8.1
fixed
tomcat
suse enterprise sap 12 SP4
9.0.36-3.99.1
fixed
suse enterprise sap 12 SP5
9.0.36-3.99.1
fixed
suse enterprise sap 15 SP1
9.0.36-150100.4.87.1
fixed
suse enterprise sap 15 SP2
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP3
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP4
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP5
9.0.43-150200.35.1
fixed
suse enterprise sap 15 SP6
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP7
9.0.75-150200.41.1
fixed
suse enterprise server 12 SP2
8.0.53-29.63.1
fixed
suse enterprise server 12 SP3
8.0.53-29.63.1
fixed
suse enterprise server 12 SP4
9.0.36-3.99.1
fixed
suse enterprise server 12 SP5
9.0.115-3.160.1
fixed
suse enterprise server 15 SP1
9.0.36-150100.4.87.1
fixed
suse enterprise server 15 SP2
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP3
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP4
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP5
9.0.43-150200.35.1
fixed
suse enterprise server 15 SP6
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP7
9.0.75-150200.41.1
fixed
tomcat-admin-webapps
suse enterprise sap 12 SP4
9.0.36-3.99.1
fixed
suse enterprise sap 12 SP5
9.0.36-3.99.1
fixed
suse enterprise sap 15 SP1
9.0.36-150100.4.87.1
fixed
suse enterprise sap 15 SP2
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP3
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP4
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP5
9.0.43-150200.35.1
fixed
suse enterprise sap 15 SP6
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP7
9.0.75-150200.41.1
fixed
suse enterprise server 12 SP2
8.0.53-29.63.1
fixed
suse enterprise server 12 SP3
8.0.53-29.63.1
fixed
suse enterprise server 12 SP4
9.0.36-3.99.1
fixed
suse enterprise server 12 SP5
9.0.115-3.160.1
fixed
suse enterprise server 15 SP1
9.0.36-150100.4.87.1
fixed
suse enterprise server 15 SP2
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP3
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP4
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP5
9.0.43-150200.35.1
fixed
suse enterprise server 15 SP6
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP7
9.0.75-150200.41.1
fixed
tomcat-docs-webapp
suse enterprise sap 12 SP4
9.0.36-3.99.1
fixed
suse enterprise sap 12 SP5
9.0.36-3.99.1
fixed
suse enterprise server 12 SP2
8.0.53-29.63.1
fixed
suse enterprise server 12 SP3
8.0.53-29.63.1
fixed
suse enterprise server 12 SP4
9.0.36-3.99.1
fixed
suse enterprise server 12 SP5
9.0.115-3.160.1
fixed
tomcat-el-3_0-api
suse enterprise sap 12 SP4
9.0.36-3.99.1
fixed
suse enterprise sap 12 SP5
9.0.36-3.99.1
fixed
suse enterprise sap 15 SP1
9.0.36-150100.4.87.1
fixed
suse enterprise sap 15 SP2
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP3
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP4
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP5
9.0.43-150200.35.1
fixed
suse enterprise sap 15 SP6
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP7
9.0.75-150200.41.1
fixed
suse enterprise server 12 SP2
8.0.53-29.63.1
fixed
suse enterprise server 12 SP3
8.0.53-29.63.1
fixed
suse enterprise server 12 SP4
9.0.36-3.99.1
fixed
suse enterprise server 12 SP5
9.0.115-3.160.1
fixed
suse enterprise server 15 SP1
9.0.36-150100.4.87.1
fixed
suse enterprise server 15 SP2
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP3
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP4
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP5
9.0.43-150200.35.1
fixed
suse enterprise server 15 SP6
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP7
9.0.75-150200.41.1
fixed
tomcat-javadoc
suse enterprise sap 12 SP4
9.0.36-3.99.1
fixed
suse enterprise sap 12 SP5
9.0.36-3.99.1
fixed
suse enterprise server 12 SP2
8.0.53-29.63.1
fixed
suse enterprise server 12 SP3
8.0.53-29.63.1
fixed
suse enterprise server 12 SP4
9.0.36-3.99.1
fixed
suse enterprise server 12 SP5
9.0.115-3.160.1
fixed
tomcat-jsp-2_3-api
suse enterprise sap 12 SP4
9.0.36-3.99.1
fixed
suse enterprise sap 12 SP5
9.0.36-3.99.1
fixed
suse enterprise sap 15 SP1
9.0.36-150100.4.87.1
fixed
suse enterprise sap 15 SP2
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP3
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP4
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP5
9.0.43-150200.35.1
fixed
suse enterprise sap 15 SP6
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP7
9.0.75-150200.41.1
fixed
suse enterprise server 12 SP2
8.0.53-29.63.1
fixed
suse enterprise server 12 SP3
8.0.53-29.63.1
fixed
suse enterprise server 12 SP4
9.0.36-3.99.1
fixed
suse enterprise server 12 SP5
9.0.115-3.160.1
fixed
suse enterprise server 15 SP1
9.0.36-150100.4.87.1
fixed
suse enterprise server 15 SP2
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP3
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP4
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP5
9.0.43-150200.35.1
fixed
suse enterprise server 15 SP6
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP7
9.0.75-150200.41.1
fixed
tomcat-lib
suse enterprise sap 12 SP4
9.0.36-3.99.1
fixed
suse enterprise sap 12 SP5
9.0.36-3.99.1
fixed
suse enterprise sap 15 SP1
9.0.36-150100.4.87.1
fixed
suse enterprise sap 15 SP2
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP3
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP4
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP5
9.0.43-150200.35.1
fixed
suse enterprise sap 15 SP6
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP7
9.0.75-150200.41.1
fixed
suse enterprise server 12 SP2
8.0.53-29.63.1
fixed
suse enterprise server 12 SP3
8.0.53-29.63.1
fixed
suse enterprise server 12 SP4
9.0.36-3.99.1
fixed
suse enterprise server 12 SP5
9.0.115-3.160.1
fixed
suse enterprise server 15 SP1
9.0.36-150100.4.87.1
fixed
suse enterprise server 15 SP2
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP3
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP4
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP5
9.0.43-150200.35.1
fixed
suse enterprise server 15 SP6
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP7
9.0.75-150200.41.1
fixed
tomcat-servlet-3_1-api
suse enterprise server 12 SP2
8.0.53-29.63.1
fixed
suse enterprise server 12 SP3
8.0.53-29.63.1
fixed
tomcat-servlet-4_0-api
suse enterprise sap 12 SP4
9.0.36-3.99.1
fixed
suse enterprise sap 12 SP5
9.0.36-3.99.1
fixed
suse enterprise sap 15 SP1
9.0.36-150100.4.87.1
fixed
suse enterprise sap 15 SP2
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP3
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP4
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP5
9.0.43-150200.35.1
fixed
suse enterprise sap 15 SP6
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP7
9.0.75-150200.41.1
fixed
suse enterprise server 12 SP4
9.0.36-3.99.1
fixed
suse enterprise server 12 SP5
9.0.115-3.160.1
fixed
suse enterprise server 15 SP1
9.0.36-150100.4.87.1
fixed
suse enterprise server 15 SP2
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP3
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP4
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP5
9.0.43-150200.35.1
fixed
suse enterprise server 15 SP6
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP7
9.0.75-150200.41.1
fixed
tomcat-webapps
suse enterprise sap 12 SP4
9.0.36-3.99.1
fixed
suse enterprise sap 12 SP5
9.0.36-3.99.1
fixed
suse enterprise sap 15 SP1
9.0.36-150100.4.87.1
fixed
suse enterprise sap 15 SP2
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP3
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP4
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP5
9.0.43-150200.35.1
fixed
suse enterprise sap 15 SP6
9.0.75-150200.41.1
fixed
suse enterprise sap 15 SP7
9.0.75-150200.41.1
fixed
suse enterprise server 12 SP2
8.0.53-29.63.1
fixed
suse enterprise server 12 SP3
8.0.53-29.63.1
fixed
suse enterprise server 12 SP4
9.0.36-3.99.1
fixed
suse enterprise server 12 SP5
9.0.115-3.160.1
fixed
suse enterprise server 15 SP1
9.0.36-150100.4.87.1
fixed
suse enterprise server 15 SP2
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP3
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP4
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP5
9.0.43-150200.35.1
fixed
suse enterprise server 15 SP6
9.0.75-150200.41.1
fixed
suse enterprise server 15 SP7
9.0.75-150200.41.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
tomcat
RHEL 8
1:9.0.62-27.el8_9
fixed
RHEL 9
1:9.0.62-37.el9_3
fixed
tomcat-admin-webapps
RHEL 8
1:9.0.62-27.el8_9
fixed
RHEL 9
1:9.0.62-37.el9_3
fixed
tomcat-docs-webapp
RHEL 8
1:9.0.62-27.el8_9
fixed
RHEL 9
1:9.0.62-37.el9_3
fixed
tomcat-el-3.0-api
RHEL 8
1:9.0.62-27.el8_9
fixed
RHEL 9
1:9.0.62-37.el9_3
fixed
tomcat-jsp-2.3-api
RHEL 8
1:9.0.62-27.el8_9
fixed
RHEL 9
1:9.0.62-37.el9_3
fixed
tomcat-lib
RHEL 8
1:9.0.62-27.el8_9
fixed
RHEL 9
1:9.0.62-37.el9_3
fixed
tomcat-servlet-4.0-api
RHEL 8
1:9.0.62-27.el8_9
fixed
RHEL 9
1:9.0.62-37.el9_3
fixed
tomcat-webapps
RHEL 8
1:9.0.62-27.el8_9
fixed
RHEL 9
1:9.0.62-37.el9_3
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
http://www.openwall.com/lists/oss-security/2023/05/22/1
https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy
https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
https://security.gentoo.org/glsa/202305-37
https://www.debian.org/security/2023/dsa-5522
http://www.openwall.com/lists/oss-security/2023/05/22/1
https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy
https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html
https://security.gentoo.org/glsa/202305-37
https://security.netapp.com/advisory/ntap-20230302-0013/
https://security.netapp.com/advisory/ntap-20241108-0002/
https://www.debian.org/security/2023/dsa-5522