On 20/02/2023 16:40, Olivier Jaquemet wrote:
Hello Mark
Thank you for this advisory.
The changes report [1] of Commons FileUpload 1.5 indicates :
"Add a configurable limit (disabled by default) for the number of
files to upload per request"
Does it mean that the 1.5 is not secured by default against
CVE-2023-24998, and require explicit configuration to be secured ?
Correct.
Commons FileUpload does not enable any of the limits (individual file
size, total upload size, number of files) by default. Each must be
configured explicitly.
Note that when Commons FileUpload is integrated into other products,
those products typically provide appropriate defaults for their use of
the library.
Kind regards,
Mark
Thanks for your help,
Olivier
[1]
https://commons.apache.org/proper/commons-fileupload/changes-report.html#a1.5
On 20/02/2023 16:55, Mark Thomas wrote:
CVE-2023-24998 Apache Commons FileUpload - DoS with excessive parts
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Commons FileUpload 1.0-beta-1 to 1.4
Description:
Apache Commons FileUpload before 1.5 does not limit the number of
request parts to be processed resulting in the possibility of an
attacker triggering a DoS with a malicious upload or series of uploads.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Commons FileUpload 1.5 or later
Credit:
This issue was identified by Jakob Ackermann and reported responsibly to
the Apache Commons Security Team.
History:
2023-02-20 Original advisory
References:
[1]
https://commons.apache.org/proper/commons-fileupload/security-reports.html
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org
EXTERNAL SENDER: Do not click any links or open any attachments unless
you trust the sender and know the content is safe.
EXPÉDITEUR EXTERNE: Ne cliquez sur aucun lien et n’ouvrez aucune pièce
jointe à moins qu’ils ne proviennent d’un expéditeur fiable, ou que
vous ayez l'assurance que le contenu provient d'une source sûre.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org