[ https://issues.apache.org/jira/browse/TAP5-2295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13918198#comment-13918198 ]
ASF subversion and git services commented on TAP5-2295: ------------------------------------------------------- Commit 8834c7dbe170f141f042108a4f0b57fb0263beff in tapestry-5's branch refs/heads/5.3 from [~bobharner] [ https://git-wip-us.apache.org/repos/asf?p=tapestry-5.git;h=8834c7d ] 5.3 branch: Fixed TAP5-2295 (denial of service vulnerability due to commons-file-upload) by upgrading commons-file-upload from 1.2.2 to 1.3.1, which also required upgrading commons-io from 2.0.1 to 2.2. > Exploit found in commons-file-upload < 1.3.1 > -------------------------------------------- > > Key: TAP5-2295 > URL: https://issues.apache.org/jira/browse/TAP5-2295 > Project: Tapestry 5 > Issue Type: Dependency upgrade > Components: tapestry-upload > Affects Versions: 5.3.5, 5.3.6, 5.3.7, 5.4, 5.2.0 > Reporter: jose luis sanchez > Assignee: Bob Harner > Labels: bug, commons-file-upload, security, tapestry-upload > > Just found that commons-file-upload < 1.3.1 has a bug that can create a DOS > attack . > For more information, see > http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html > I do believe commons-file-upload 1.2.2 it's been used in tapestry-upload > since version 5.2 at least, or even older. > So recommended option is to update dependency to commons-file-upload-1.3.1.jar -- This message was sent by Atlassian JIRA (v6.2#6252)