Vulnerability Details : CVE-2023-24998
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.
Vulnerability category: Denial of service
Exploit prediction scoring system (EPSS) score for CVE-2023-24998
Probability of exploitation activity in the next 30 days: 0.41%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 70 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2023-24998
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
[email protected] |
CWE ids for CVE-2023-24998
-
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Assigned by: [email protected] (Primary)
References for CVE-2023-24998
Products affected by CVE-2023-24998
- cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:commons_fileupload:1.0:beta:*:*:*:*:*:*