Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

cve-2023-24998
Back to All
CVE

CVE-2023-24998

Apache Commons FileUpload denial of service vulnerability

Description

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

Base CVSS

7.5

EPSS Score

41.12%

Introduced Version

0

Fix Available

9.0.71,11.0.0-M3,1.5,10.1.5,8.5.85

Available Patches

Package
CVEs Fixed
Lines of Code Changed
Package Name
org.apache.tomcat:tomcat-catalina
7.0.55
CVES Fixed
C
2
H
17
M
0
L
0
Code Changed
+3137
-434

References

https://tomcat.apache.org/security-10.html
https://tomcat.apache.org/security-8.html
https://github.com/apache/commons-fileupload
https://github.com/search?q=repo%3Aapache%2Ftomcat+util.http+path%3A%2F%5Eres%5C%2Fbnd%5C%2F%2F&type=code
https://security.netapp.com/advisory/ntap-20230302-0013
https://github.com/apache/tomcat/commit/cf77cc545de0488fb89e24294151504a7432df74
https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17
https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy
https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
https://security.gentoo.org/glsa/202305-37
https://commons.apache.org/proper/commons-fileupload/security-reports.html
https://www.debian.org/security/2023/dsa-5522
https://github.com/apache/tomcat/commit/9ca96c8c1eba86c0aaa2e6be581ba2a7d4d4ae6e
https://github.com/apache/tomcat/commit/d53d8e7f77042cc32a3b98f589496a1ef5088e38
https://nvd.nist.gov/vuln/detail/CVE-2023-24998
https://github.com/apache/tomcat/commit/8a2285f13affa961cc65595aad999db5efae45ce
http://www.openwall.com/lists/oss-security/2023/05/22/1
https://tomcat.apache.org/security-11.html
https://tomcat.apache.org/security-9.html

AppSec for the Software Development Revolution

Endor Labs builds a complete graph of your software estate, so teams can pinpoint and fix critical risks in complex, dependency-rich code—whether it was written by humans or AI.

Welcome to the resistance
Oops! Something went wrong, please try again.
brightness-increase
moon-01