CVE-2023-24998: Apache Commons FileUpload, Apache Tomcat: FileUpload DoS with excessive parts
First published: Mon Feb 20 2023(Updated: )
A flaw was found in Apache Commons FileUpload, where it does not limit the number of parts being processed in a request. This issue may allow an attacker to use a malicious upload or series of uploads to trigger a denial of service. While Red Hat Satellite relies upon Apache Tomcat, it does not directly ship it. Tomcat is shipped with Red Hat Enterprise Linux and consumed by the Candlepin component of Satellite. Red Hat Satellite users are therefore advised to check the impact state of Red Hat Enterprise Linux, since any necessary fixes will be distributed through the platform.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jenkins | <0:2.387.3.1684911776-3.el8 | 0:2.387.3.1684911776-3.el8 |
| redhat/jws5-tomcat | <0:9.0.62-15.redhat_00013.1.el7 | 0:9.0.62-15.redhat_00013.1.el7 |
| redhat/jws5-tomcat | <0:9.0.62-15.redhat_00013.1.el8 | 0:9.0.62-15.redhat_00013.1.el8 |
| redhat/jws5-tomcat | <0:9.0.62-15.redhat_00013.1.el9 | 0:9.0.62-15.redhat_00013.1.el9 |
| Apache Commons FileUpload | >=1.0<1.5 | |
| Apache Commons FileUpload | =1.0-beta | |
| debian/libcommons-fileupload-java | <=1.3.3-1<=1.4-1 | 1.4-2 |
| debian/tomcat10 | 10.1.6-1+deb12u1 10.1.16-1 | |
| debian/tomcat9 | <=9.0.31-1~deb10u6<=9.0.43-2~deb11u6 | 9.0.31-1~deb10u10 9.0.43-2~deb11u9 9.0.70-2 |
| redhat/commons-fileupload | <1.5 | 1.5 |
| maven/org.apache.tomcat.embed:tomcat-embed-core | >=9.0.0-M1<9.0.71 | 9.0.71 |
| maven/org.apache.tomcat.embed:tomcat-embed-core | >=8.5.85<8.5.88 | 8.5.88 |
| maven/org.apache.tomcat.embed:tomcat-embed-core | >=11.0.0-M2<11.0.0-M5 | 11.0.0-M5 |
| maven/org.apache.tomcat.embed:tomcat-embed-core | >=10.1.0-M1<10.1.5 | 10.1.5 |
| maven/org.apache.tomcat:tomcat-coyote | >=9.0.0-M1<9.0.71 | 9.0.71 |
| maven/org.apache.tomcat:tomcat-coyote | >=8.5.85<8.5.88 | 8.5.88 |
| maven/org.apache.tomcat:tomcat-coyote | >=11.0.0-M2<11.0.0-M5 | 11.0.0-M5 |
| maven/org.apache.tomcat:tomcat-coyote | >=10.1.0-M1<10.1.5 | 10.1.5 |
| maven/commons-fileupload:commons-fileupload | <1.5 | 1.5 |
| IBM Cognos Controller | <=11.0.0 - 11.0.1 | |
| Debian GNU/Linux | =9.0 | |
| Debian GNU/Linux | =11.0 | |
| >=1.0<1.5 | ||
| =1.0-beta | ||
| =9.0 | ||
| =11.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2023-24998 https://nvd.nist.gov/vuln/detail/CVE-2023-24998 https://commons.apache.org/proper/commons-fileupload/security-reports.html#Fixed_in_Apache_Commons_FileUpload_1.5
- https://bugzilla.redhat.com/show_bug.cgi?id=2172298
- https://access.redhat.com/errata/RHSA-2023:4910
- https://access.redhat.com/errata/RHSA-2023:3299
- https://access.redhat.com/errata/RHSA-2023:4909
- https://access.redhat.com/errata/RHSA-2023:2100
- https://access.redhat.com/security/cve/CVE-2023-24998
- http://www.openwall.com/lists/oss-security/2023/05/22/1
- https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy
- https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
- https://security.gentoo.org/glsa/202305-37
- https://www.debian.org/security/2023/dsa-5522
- https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17
- https://github.com/apache/tomcat/commit/8a2285f13affa961cc65595aad999db5efae45ce
- https://github.com/apache/tomcat/commit/cf77cc545de0488fb89e24294151504a7432df74
- https://security-tracker.debian.org/tracker/CVE-2023-24998
- https://commons.apache.org/proper/commons-fileupload/security-reports.html#Fixed_in_Apache_Commons_FileUpload_1.5
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2173752
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2173753
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2173782
- https://access.redhat.com/security/cve/cve-2023-24998
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2211066
- https://access.redhat.com/errata/RHSA-2023:6570
- https://access.redhat.com/errata/RHSA-2023:7065
- https://nvd.nist.gov/vuln/detail/CVE-2023-24998
- https://commons.apache.org/proper/commons-fileupload/security-reports.html
- https://github.com/apache/tomcat/commit/9ca96c8c1eba86c0aaa2e6be581ba2a7d4d4ae6e
- https://github.com/apache/tomcat/commit/d53d8e7f77042cc32a3b98f589496a1ef5088e38
- https://tomcat.apache.org/security-10.html
- https://tomcat.apache.org/security-11.html
- https://tomcat.apache.org/security-8.html
- https://tomcat.apache.org/security-9.html
- https://github.com/search?q=repo%3Aapache%2Ftomcat+util.http+path%3A%2F%5Eres%5C%2Fbnd%5C%2F%2F&type=code
- https://github.com/advisories/GHSA-hfrx-6qgj-fp6c (Advisory)
- https://www.ibm.com/support/pages/node/7177220 (Advisory)
- https://security.netapp.com/advisory/ntap-20230302-0013/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2023-24998.
What is the severity of CVE-2023-24998?
The severity of CVE-2023-24998 is high.
What is the impact of CVE-2023-24998?
CVE-2023-24998 can allow an attacker to use a malicious upload or series of uploads to trigger a denial of service.
How can I fix CVE-2023-24998 for Apache Commons FileUpload?
To fix CVE-2023-24998 for Apache Commons FileUpload, upgrade to version 1.5.
How can I fix CVE-2023-24998 for IBM Sterling Secure Proxy?
To fix CVE-2023-24998 for IBM Sterling Secure Proxy, apply the relevant patch from IBM.
How can I fix CVE-2023-24998 for Red Hat Satellite?
CVE-2023-24998 does not directly affect Red Hat Satellite.
Where can I find more information about CVE-2023-24998?
You can find more information about CVE-2023-24998 at the following references: [CVE-2023-24998](https://www.cve.org/CVERecord?id=CVE-2023-24998), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-24998), [Apache Commons FileUpload Security Reports](https://commons.apache.org/proper/commons-fileupload/security-reports.html#Fixed_in_Apache_Commons_FileUpload_1.5), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=2172298), [Red Hat Errata](https://access.redhat.com/errata/RHSA-2023:3299).
- collector/redhat-cve
- collector/nvd-index
- collector/security-tracker-debian
- agent/type
- agent/first-publish-date
- agent/author
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-24998
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-hfrx-6qgj-fp6c
- collector/github-advisory
- agent/title
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/trending
- agent/source
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- agent/last-modified-date
- agent/references
- agent/tags
- agent/description
- agent/softwarecombine
- agent/event
- collector/nvd-api
- package-manager/redhat
- vendor/apache
- canonical/apache commons fileupload
- version/apache commons fileupload/1.0
- version/apache commons fileupload/1.0-beta
- package-manager/debian
- package-manager/maven
- vendor/ibm
- canonical/ibm cognos controller
- version/ibm cognos controller/11.0.0 - 11.0.1
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/9.0
- version/debian gnu/linux/11.0
- canonical/debian
- version/debian/9.0
- version/debian/11.0