GHSA-hfrx-6qgj-fp6c

Suggest an improvement
Source
https://github.com/advisories/GHSA-hfrx-6qgj-fp6c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-hfrx-6qgj-fp6c
Aliases
Related
Published
2023-02-20T18:30:17Z
Modified
2025-02-13T18:49:24.598350Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Apache Commons FileUpload denial of service vulnerability
Details

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

Database specific 
{
    "cwe_ids": [
        "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-22T00:12:07Z",
    "severity": "HIGH",
    "nvd_published_at": "2023-02-20T16:15:00Z"
}
References

Affected packages

Maven

commons-fileupload:commons-fileupload

Package

Name
commons-fileupload:commons-fileupload
View open source insights on deps.dev
Purl
pkg:maven/commons-fileupload/commons-fileupload

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5

Affected versions

1.*

1.0-beta-1
1.0-rc1
1.0
1.1
1.1.1
1.2
1.2.1
1.2.2
1.3
1.3.1
1.3.1-jenkins-1
1.3.1-jenkins-2
1.3.2
1.3.3
1.4

org.apache.tomcat:tomcat-coyote

Package

Name
org.apache.tomcat:tomcat-coyote
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-coyote

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.1.0-M1
Fixed
10.1.5

Affected versions

10.*

10.1.0-M1
10.1.0-M2
10.1.0-M4
10.1.0-M5
10.1.0-M6
10.1.0-M7
10.1.0-M8
10.1.0-M10
10.1.0-M11
10.1.0-M12
10.1.0-M14
10.1.0-M15
10.1.0-M16
10.1.0-M17
10.1.0
10.1.1
10.1.2
10.1.4

org.apache.tomcat:tomcat-coyote

Package

Name
org.apache.tomcat:tomcat-coyote
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-coyote

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0-M2
Fixed
11.0.0-M5

Affected versions

11.*

11.0.0-M3
11.0.0-M4

org.apache.tomcat:tomcat-coyote

Package

Name
org.apache.tomcat:tomcat-coyote
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-coyote

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.5.85
Fixed
8.5.88

Affected versions

8.*

8.5.85
8.5.86
8.5.87

org.apache.tomcat:tomcat-coyote

Package

Name
org.apache.tomcat:tomcat-coyote
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-coyote

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.0.0-M1
Fixed
9.0.71

Affected versions

9.*

9.0.0.M1
9.0.0.M3
9.0.0.M4
9.0.0.M6
9.0.0.M8
9.0.0.M9
9.0.0.M10
9.0.0.M11
9.0.0.M13
9.0.0.M15
9.0.0.M17
9.0.0.M18
9.0.0.M19
9.0.0.M20
9.0.0.M21
9.0.0.M22
9.0.0.M25
9.0.0.M26
9.0.0.M27
9.0.1
9.0.2
9.0.4
9.0.5
9.0.6
9.0.7
9.0.8
9.0.10
9.0.11
9.0.12
9.0.13
9.0.14
9.0.16
9.0.17
9.0.19
9.0.20
9.0.21
9.0.22
9.0.24
9.0.26
9.0.27
9.0.29
9.0.30
9.0.31
9.0.33
9.0.34
9.0.35
9.0.36
9.0.37
9.0.38
9.0.39
9.0.40
9.0.41
9.0.43
9.0.44
9.0.45
9.0.46
9.0.48
9.0.50
9.0.52
9.0.53
9.0.54
9.0.55
9.0.56
9.0.58
9.0.59
9.0.60
9.0.62
9.0.63
9.0.64
9.0.65
9.0.67
9.0.68
9.0.69
9.0.70

org.apache.tomcat.embed:tomcat-embed-core

Package

Name
org.apache.tomcat.embed:tomcat-embed-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.1.0-M1
Fixed
10.1.5

Affected versions

10.*

10.1.0-M1
10.1.0-M2
10.1.0-M4
10.1.0-M5
10.1.0-M6
10.1.0-M7
10.1.0-M8
10.1.0-M10
10.1.0-M11
10.1.0-M12
10.1.0-M14
10.1.0-M15
10.1.0-M16
10.1.0-M17
10.1.0
10.1.1
10.1.2
10.1.4

org.apache.tomcat.embed:tomcat-embed-core

Package

Name
org.apache.tomcat.embed:tomcat-embed-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0-M2
Fixed
11.0.0-M5

Affected versions

11.*

11.0.0-M3
11.0.0-M4

org.apache.tomcat.embed:tomcat-embed-core

Package

Name
org.apache.tomcat.embed:tomcat-embed-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.5.85
Fixed
8.5.88

Affected versions

8.*

8.5.85
8.5.86
8.5.87

org.apache.tomcat.embed:tomcat-embed-core

Package

Name
org.apache.tomcat.embed:tomcat-embed-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.0.0-M1
Fixed
9.0.71

Affected versions

9.*

9.0.0.M1
9.0.0.M3
9.0.0.M4
9.0.0.M6
9.0.0.M8
9.0.0.M9
9.0.0.M10
9.0.0.M11
9.0.0.M13
9.0.0.M15
9.0.0.M17
9.0.0.M18
9.0.0.M19
9.0.0.M20
9.0.0.M21
9.0.0.M22
9.0.0.M25
9.0.0.M26
9.0.0.M27
9.0.1
9.0.2
9.0.4
9.0.5
9.0.6
9.0.7
9.0.8
9.0.10
9.0.11
9.0.12
9.0.13
9.0.14
9.0.16
9.0.17
9.0.19
9.0.20
9.0.21
9.0.22
9.0.24
9.0.26
9.0.27
9.0.29
9.0.30
9.0.31
9.0.33
9.0.34
9.0.35
9.0.36
9.0.37
9.0.38
9.0.39
9.0.40
9.0.41
9.0.43
9.0.44
9.0.45
9.0.46
9.0.48
9.0.50
9.0.52
9.0.53
9.0.54
9.0.55
9.0.56
9.0.58
9.0.59
9.0.60
9.0.62
9.0.63
9.0.64
9.0.65
9.0.67
9.0.68
9.0.69
9.0.70