Yiheng Cao created WICKET-7085:
----------------------------------
Summary: Security Vulnerability - Action Required: “Improper Input
Validation” vulnerability in some versions of org.apache.wicket:wicket-util
Key: WICKET-7085
URL: https://issues.apache.org/jira/browse/WICKET-7085
Project: Wicket
Issue Type: Bug
Components: wicket
Affects Versions: 1.5.15, 6.23.0, 6.22.0, 6.21.0, 1.5.14, 6.20.0, 6.19.0,
1.5.13, 6.18.0, 6.17.0, 6.16.0, 6.15.0, 1.5.12
Reporter: Yiheng Cao
I think the method
org.apache.wicket.util.upload.MultipartFormInputStream.<init>(InputStream
input, byte[] boundary, int bufSize, ProgressNotifier pNotifier) may have an
“Improper Input Validation”vulnerability which is vulnerable in
org.apache.wicket:wicket-util in the versions of 1.5.12-1.5.15,6.15.0-6.23.0.
It shares similarities to a recent CVE disclosure CVE-2016-3092 in the project
_"apache/commons-fileupload"_ project.
The source vulnerability information is as follows:
!https://mail.google.com/mail/u/0?ui=2&ik=35947afd70&attid=0.1&permmsgid=msg-f:1782522681557497681&th=18bccaef464fb751&view=fimg&fur=ip&sz=s0-l75-ft&attbid=ANGjdJ_bBS_0CMiL9kNUgnr95IJelNJAQJp906nnAonpFswrxMbSt1EVV1S2q6kq_ur-YE-1H49gOCjMGqFYtm5xBOS_EBOZci8ukIw2Hn8kM-9OIKVIxXrlhcRm6LA&disp=emb&realattid=ii_lmt56kbv0|width=1,height=1!!https://mail.google.com/mail/u/0?ui=2&ik=35947afd70&attid=0.2&permmsgid=msg-f:1782522681557497681&th=18bccaef464fb751&view=fimg&fur=ip&sz=s0-l75-ft&attbid=ANGjdJ-8wPNUdQ35WBKaadck2X1lP34blTQ_qiyhu5T7l0G8T4cboSCiFNgfxaCQZZsK-Pm3ebzj4JSWBs558OxWHJPM1uJqKlMvPMhpx9J0TiojhC85DNqeLu3dr2Q&disp=emb&realattid=ii_lmt6415i0|width=1,height=1!!https://mail.google.com/mail/u/0?ui=2&ik=35947afd70&attid=0.0.1&permmsgid=msg-f:1782522681557497681&th=18bccaef464fb751&view=fimg&fur=ip&sz=s0-l75-ft&attbid=ANGjdJ9XERxykP1zaB9Codaz3lisQ9gKwLHXnEIHP4p4oUcINmdFEWTJAWeDMfayncBsWIBj_kc2cAKHx4c7InMtKL98nDb2Dnt3TpfGLQCcJhdFsSBhemVA14CI0rA&disp=emb&realattid=ii_loxzzieb0|width=1,height=1!
*Vulnerability Detail:*
*CVE Identifier:* CVE-2016-3092
{*}Description{*}: The MultipartStream class in Apache Commons Fileupload
before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36,
8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote
attackers to cause a denial of service (CPU consumption) via a long boundary
string.
*Reference:* https://nvd.nist.gov/vuln/detail/CVE-2016-3092
{*}Patch{*}:
https://github.com/apache/commons-fileupload/commit/774ef160d591b579f703c694002e080f99bcd28b
*Vulnerability Description:*
In the vulnerable code, *if the boundary string is null, an
IllegalArgumentException is thrown. The code then initializes various
variables, including the input stream, buffer, and boundary string.* However,
*it fails to adequately check the size of the buffer. If the buffer size is
smaller than the length of the boundary string plus 1, an
IllegalArgumentException is thrown.* This allows an attacker to provide an
excessively long boundary string, causing a buffer overflow and resulting in
denial-of-service by consuming CPU resources.
Considering the potential risks it may have, I am willing to cooperate with
you to verify, address, and report the identified vulnerability promptly
through responsible means. If you require any further information or
assistance, please do not hesitate to reach out to me. Thank you and look
forward to hearing from you soon.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
