Bug#1031733: libcommons-fileupload-java: CVE-2023-24998
tony mancill
tmancill at debian.org
Wed Feb 22 05:48:35 GMT 2023
On Tue, Feb 21, 2023 at 04:10:16PM +0100, Moritz Mühlenhoff wrote:
> Source: libcommons-fileupload-java
> X-Debbugs-CC: team at security.debian.org
> Severity: important
> Tags: security
>
> Hi,
>
> The following vulnerability was published for libcommons-fileupload-java.
>
> CVE-2023-24998[0]:
> | Apache Commons FileUpload before 1.5 does not limit the number of
> | request parts to be processed resulting in the possibility of an
> | attacker triggering a DoS with a malicious upload or series of
> | uploads.
>
> https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy
> https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17
I have a patched version of 1.4 ready to upload using the upstream
patch. However, based on reading the thread above, having the ability
to limit the number of request parts is in the library is not the same
as actually limiting the request parts. The patched library defaults to
an unlimited number, so it is necessary but not sufficient to mitigate
the risk.
Is it safe to assume that CVEs will be created for the software
components that use commons-fileupload, and so I can go ahead and upload
the patched 1.4 version and mark CVE-2023-24998 as complete?
Thanks,
tony
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20230221/5acb8f5c/attachment.sig>
More information about the pkg-java-maintainers
mailing list