CVE-2023-24998 : Apache Commons FileUpload before 1.5 does not limit the number of request parts

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

Published 2023-02-20 16:15:10

Updated 2025-02-13 17:16:09

Source Apache Software Foundation

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2023-24998

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 11.0
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Matching versions
Apache » Commons Fileupload
Versions from including (>=) 1.0 and before (<) 1.5
cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*
Matching versions
Apache » Commons Fileupload » Version: 1.0 Update Beta
cpe:2.3:a:apache:commons_fileupload:1.0:beta:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-24998

EPSS FAQ

87.77%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 99 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-24998

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
7.5	HIGH	AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	N/A	N/A	Oracle:CPUOct2023
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2023-24998

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Assigned by: security@apache.org (Secondary)

References for CVE-2023-24998

https://www.debian.org/security/2023/dsa-5522

Debian -- Security Information -- DSA-5522-1 tomcat9
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy

[SECURITY] CVE-2023-24998 Apache Commons FileUpload - DoS with excessive parts-Apache Mail Archives
Mailing List;Vendor Advisory
https://security.gentoo.org/glsa/202305-37

Apache Tomcat: Multiple Vulnerabilities (GLSA 202305-37) — Gentoo security
Third Party Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2023/05/22/1

oss-security - CVE-2023-28709 Apache Tomcat - Fix for CVE-2023-24998 was incomplete
Mailing List

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html

[SECURITY] [DLA 3617-1] tomcat9 security update
Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20230302-0013/

CVE-2023-24998 Apache Commons FileUpload Vulnerability in NetApp Products | NetApp Product Security

Jump to

Vulnerability Details : CVE-2023-24998

Products affected by CVE-2023-24998

Exploit prediction scoring system (EPSS) score for CVE-2023-24998

CVSS scores for CVE-2023-24998

CWE ids for CVE-2023-24998

References for CVE-2023-24998