Vulnerabilities disclosed in Apache Commons FileUpload

Issue date: 14-06-2023
Affects versions: 15.2, 15.1, 14.7, 13.4

Security Issue ID

SECURITY-431

Affected Product Version(s)

15.2.1, 14.7.13, 13.4.22 and previous releases.

Severity

High

Description

CVE-2023-24988 suppress

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

CVSSv3:

Base Score: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Instructions

Customers are recommended to upgrade to the latest version. As of the time of writing, 15.2.3,14.7.14,13.4.23.

Content Application

Channels

Projects

Relevance

Architecture

Concepts

Platform Configuration

Frontend Integration

Backend Development

Commerce Accelerator

Cloud Deployment (PaaS)

On-Premise Deployment

Security

Release Management

Platform Development

Bloomreach Documentation version

Vulnerabilities disclosed in Apache Commons FileUpload