CVE-2023-24998

Description

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

How to fix CVE-2023-24998

To remediate CVE-2023-24998, upgrade the affected package to a fixed version below.

• —upgrade to 1.4-1+deb11u1 or later
• —upgrade to 1.4-1+deb11u1 or later
• —upgrade to 10.1.5-1 or later
• —upgrade to 9.0.43-2~deb11u7 or later
• —upgrade to 9.0.31-1~deb10u9 or later
• —upgrade to 9.0.43-2~deb11u7 or later
• —upgrade to 1.5 or later
• —upgrade to 10.1.5 or later
• —upgrade to 10.1.5 or later

Is CVE-2023-24998 being exploited?

Moderate — EPSS is 33.9%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (9)

• from 0, < 1.4-1+deb11u1
• from 0, < 1.4-1+deb11u1
• from 0, < 10.1.5-1
• from 0, < 9.0.43-2~deb11u7
• from 0, < 9.0.31-1~deb10u9
• from 0, < 9.0.43-2~deb11u7
• from 0, < 1.5
• >= 10.1.0-M1, < 10.1.5
• >= 10.1.0-M1, < 10.1.5

CVSS scores

References (22)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-24998
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-24998
• PATCHgithub.com/apache/commons-fileupload
• WEBcommons.apache.org/proper/commons-fileupload/security-reports.html