CVE-2023-24998

HIGH

Apache Commons Fileupload < 1.5 - Resource Allocation Without Limits

Title source: rule

Description

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

Exploits (1)

nomisec WORKING POC 4 stars

by nice1st · poc

https://github.com/nice1st/CVE-2023-24998

View Code ZIP pw:eip

References (8)

[Mailing List] http://www.openwall.com/lists/oss-security/2023/05/22/1

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy

[Third Party Advisory] https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html

[Third Party Advisory] https://security.gentoo.org/glsa/202305-37

[Third Party Advisory] https://www.debian.org/security/2023/dsa-5522

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20230302-0013/

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20241108-0002/

Scores

CVSS v3 7.5

EPSS 0.3641

EPSS Percentile 97.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-770

Status published

Products (7)

apache/commons_fileupload 1.0 beta

apache/commons_fileupload 1.0 - 1.5

commons-fileupload/commons-fileupload 0 - 1.5Maven

debian/debian_linux 9.0

debian/debian_linux 11.0

org.apache.tomcat/tomcat-coyote 10.1.0-M1 - 10.1.5Maven

org.apache.tomcat.embed/tomcat-embed-core 10.1.0-M1 - 10.1.5Maven

Published Feb 20, 2023

Tracked Since Feb 18, 2026