Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2023-24998

Source

Debian Bug report logs - #1031733
libcommons-fileupload-java: CVE-2023-24998

Package: src:libcommons-fileupload-java; Maintainer for src:libcommons-fileupload-java is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Moritz Mühlenhoff <jmm@inutil.org>

Date: Tue, 21 Feb 2023 15:12:03 UTC

Severity: important

Tags: security, upstream

Found in version libcommons-fileupload-java/1.4-1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#1031733; Package src:libcommons-fileupload-java. (Tue, 21 Feb 2023 15:12:05 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Tue, 21 Feb 2023 15:12:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: libcommons-fileupload-java
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for libcommons-fileupload-java.

CVE-2023-24998[0]:
| Apache Commons FileUpload before 1.5 does not limit the number of
| request parts to be processed resulting in the possibility of an
| attacker triggering a DoS with a malicious upload or series of
| uploads.

https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy
https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-24998
    https://www.cve.org/CVERecord?id=CVE-2023-24998

Please adjust the affected versions in the BTS as needed.

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 21 Feb 2023 15:33:06 GMT) (full text, mbox, link).

Marked as found in versions libcommons-fileupload-java/1.4-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 21 Feb 2023 16:27:03 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#1031733; Package src:libcommons-fileupload-java. (Wed, 22 Feb 2023 05:51:08 GMT) (full text, mbox, link).

Acknowledgement sent to tony mancill <tmancill@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Wed, 22 Feb 2023 05:51:08 GMT) (full text, mbox, link).

Message #14 received at 1031733@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Tue, Feb 21, 2023 at 04:10:16PM +0100, Moritz Mühlenhoff wrote:
> Source: libcommons-fileupload-java
> X-Debbugs-CC: team@security.debian.org
> Severity: important
> Tags: security
> 
> Hi,
> 
> The following vulnerability was published for libcommons-fileupload-java.
> 
> CVE-2023-24998[0]:
> | Apache Commons FileUpload before 1.5 does not limit the number of
> | request parts to be processed resulting in the possibility of an
> | attacker triggering a DoS with a malicious upload or series of
> | uploads.
> 
> https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy
> https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17

I have a patched version of 1.4 ready to upload using the upstream
patch.  However, based on reading the thread above, having the ability
to limit the number of request parts is in the library is not the same
as actually limiting the request parts.  The patched library defaults to
an unlimited number, so it is necessary but not sufficient to mitigate
the risk.

Is it safe to assume that CVEs will be created for the software
components that use commons-fileupload, and so I can go ahead and upload
the patched 1.4 version and mark CVE-2023-24998 as complete?

Thanks,
tony

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#1031733; Package src:libcommons-fileupload-java. (Wed, 22 Feb 2023 11:15:02 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Wed, 22 Feb 2023 11:15:02 GMT) (full text, mbox, link).

Message #19 received at 1031733@bugs.debian.org (full text, mbox, reply):

On Tue, Feb 21, 2023 at 09:48:35PM -0800, tony mancill wrote:
> On Tue, Feb 21, 2023 at 04:10:16PM +0100, Moritz Mühlenhoff wrote:
> > Source: libcommons-fileupload-java
> > X-Debbugs-CC: team@security.debian.org
> > Severity: important
> > Tags: security
> > 
> > Hi,
> > 
> > The following vulnerability was published for libcommons-fileupload-java.
> > 
> > CVE-2023-24998[0]:
> > | Apache Commons FileUpload before 1.5 does not limit the number of
> > | request parts to be processed resulting in the possibility of an
> > | attacker triggering a DoS with a malicious upload or series of
> > | uploads.
> > 
> > https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy
> > https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17
> 
> I have a patched version of 1.4 ready to upload using the upstream
> patch.  However, based on reading the thread above, having the ability
> to limit the number of request parts is in the library is not the same
> as actually limiting the request parts.  The patched library defaults to
> an unlimited number, so it is necessary but not sufficient to mitigate
> the risk.
> 
> Is it safe to assume that CVEs will be created for the software
> components that use commons-fileupload, and so I can go ahead and upload
> the patched 1.4 version and mark CVE-2023-24998 as complete?

We can consider CVE-2023-24998 by itself as fixed with your backport, it happens
from time to time that a fix requires a new API or other related changes on the
calling side of a function.

Adapting a codebase to the new function is outside the scope of the CVE system,
if we know any reverse dependency which needs to set fileCountMax, we can patch
it, but often such a setting is also highly dependent on the setup and a site-specific
setting.

Cheers,
        Moritz

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Feb 22 13:07:32 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

libcommons-fileupload-java: CVE-2023-24998

Debian Bug report logs - #1031733
libcommons-fileupload-java: CVE-2023-24998

Vulmon Search

About

Products

Connect

libcommons-fileupload-java: CVE-2023-24998

Debian Bug report logs - #1031733 libcommons-fileupload-java: CVE-2023-24998

Vulmon Search

About

Products

Connect

Debian Bug report logs - #1031733
libcommons-fileupload-java: CVE-2023-24998