=====================================================================

                               CERT-Renater

                    Note d'Information No. 2023/VULN090

_____________________________________________________________________

DATE                : 23/02/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Commons FileUpload 
                   versions prior to 1.5.

=====================================================================
https://lists.apache.org/thread/olhcbcw3t7w0xh8vgoq64471dgbbt2vp
_____________________________________________________________________

[SECURITY] CVE-2023-24998 Apache Commons FileUpload - DoS with excessive 
parts


Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Commons FileUpload 1.0-beta-1 to 1.4


Description:
Apache Commons FileUpload before 1.5 does not limit the number of 
request parts to be processed resulting in the possibility of an 
attacker triggering a DoS with a malicious upload or series of uploads.


Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Commons FileUpload 1.5 or later


Credit:
This issue was identified by Jakob Ackermann and reported responsibly to 
the Apache Commons Security Team.


History:
2023-02-20 Original advisory


References:
[1] 
https://commons.apache.org/proper/commons-fileupload/security-reports.html

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================