CVE-2023-24998
- Source
- https://cve.org/CVERecord?id=CVE-2023-24998
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-24998.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-24998
- Aliases
- Downstream
- Related
- Published
- 2023-02-20T15:57:07.372Z
- Modified
- 2026-06-18T03:55:33.450753913Z
- Summary
- Apache Commons FileUpload, Apache Tomcat: FileUpload DoS with excessive parts
- Details
-
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
- Database specific
{ "cna_assigner": "apache", "unresolved_ranges": [ { "source": "AFFECTED_FIELD", "extracted_events": [ { "fixed": "1.5" }, { "last_affected": "11.0.0-M1" }, { "introduced": "10.0.0-M1" }, { "last_affected": "10.1.4" }, { "introduced": "9.0.0-M1" }, { "last_affected": "9.0.70" }, { "introduced": "8.5.0" }, { "last_affected": "8.5.84" } ] }, { "source": "DESCRIPTION", "extracted_events": [ { "fixed": "1.5" } ] } ], "cwe_ids": [ "CWE-770" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/24xxx/CVE-2023-24998.json" }- References
-
- http://www.openwall.com/lists/oss-security/2023/05/22/1
- https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
- https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/24xxx/CVE-2023-24998.json
- https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy
- https://nvd.nist.gov/vuln/detail/CVE-2023-24998
- https://security.gentoo.org/glsa/202305-37
- https://security.netapp.com/advisory/ntap-20230302-0013/
- https://security.netapp.com/advisory/ntap-20241108-0002/
- https://www.debian.org/security/2023/dsa-5522