Apache Commons FileUpload - DoS with excessive parts
Overview
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
See CWE-770: Allocation of Resources Without Limits or Throttling
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
| Product version | Mitigation |
|---|---|
| Vaadin 10.0.0 - 10.0.21 | Upgrade to 10.0.22 (Vaadin extended maintenance starting from June 2023) |
| Vaadin 11.0.0 - 14.9.6 | Upgrade to 14.9.7 or newer |
| Vaadin 15.0.0 - 22.0.28 | Upgrade to 22.1.0 (Vaadin extended maintenance starting from March 2023) |
| Vaadin 23.0.0 - 23.3.7 | Upgrade to 23.3.8 or newer |
Please note that Vaadin versions 11-13 and 15-22.0 are no longer supported and you should update either to the latest 14, 22.1, 23, 24 version.
Artifacts
| Maven coordinates | Vulnerable version | Fixed version |
|---|---|---|
| com.vaadin:flow-server | 1.0.0 - 1.0.17 | ≥1.0.18 |
| com.vaadin:flow-server | 1.1.0 - 2.8.5 | ≥2.8.6 |
| com.vaadin:flow-server | 3.0.0 - 9.0.26 | ≥9.1.0 |
| com.vaadin:flow-server | 23.0.0 - 23.3.4 | ≥23.3.5 |
| com.vaadin:flow-server | 24.0.0.alpha1 - 24.0.rc3 | ≥24.0.0 |
References
Original CVE: nvd.nist.gov/vuln/detail/CVE-2023-24998
Vendor advisory: lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy
History
- 2023-06-22: Initial vulnerability report published