CVE-2023-24998
Denial of Service vulnerability in commons-fileupload (Maven)

Denial of Service Proof of concept Fixable By Resolved Security

What is CVE-2023-24998 About?

This vulnerability in Apache Commons FileUpload before version 1.5 allows attackers to trigger a Denial of Service by sending a large number of request parts. This can exhaust server resources, making the service unavailable to legitimate users. Exploitation is straightforward, requiring a malicious upload or series of uploads.

Affected Software

  • commons-fileupload:commons-fileupload
    • <1.5
  • org.apache.tomcat:tomcat-coyote
    • >9.0.0-M1, <9.0.71
    • >8.5.85, <8.5.88
    • >10.1.0-M1, <10.1.5
    • >11.0.0-M2, <11.0.0-M5
  • org.apache.tomcat.embed:tomcat-embed-core
    • >9.0.0-M1, <9.0.71
    • >8.5.85, <8.5.88
    • >10.1.0-M1, <10.1.5
    • >11.0.0-M2, <11.0.0-M5

Technical Details

Apache Commons FileUpload versions prior to 1.5 do not enforce limits on the number of request parts processed during a file upload. An attacker can exploit this by submitting a crafted HTTP request containing an excessive number of file upload parts. The server will attempt to process all these parts, leading to resource exhaustion (e.g., memory, CPU) and ultimately a Denial of Service. While a new configuration option, FileUploadBase#setFileCountMax, was introduced to mitigate this, it is not enabled by default, leaving applications vulnerable if not explicitly configured.

What is the Impact of CVE-2023-24998?

Successful exploitation may allow attackers to exhaust server resources, causing a denial of service and disrupting the availability of the application.

What is the Exploitability of CVE-2023-24998?

Exploitation requires sending a malicious upload or a series of uploads to an application using Apache Commons FileUpload. The complexity is low, as it involves crafting an HTTP request with numerous file parts. No specific authentication beyond what's required to initiate a file upload is needed, and no elevated privileges are necessary. This is a remote exploitation scenario, attacking the web server directly. The primary condition is that the vulnerable setFileCountMax option is not explicitly configured in the application, making it susceptible to resource exhaustion through an unbounded number of processed request parts.

What are the Known Public Exploits?

PoC Author Link Commentary
nice1st Link Apache Commons FileUpload 보안 취약점 테스트

What are the Available Fixes for CVE-2023-24998?

A Fix by Resolved Security Exists!
Learn how our approach backports security patches directly to your dependencies.

About the Fix from Resolved Security

None

Available Upgrade Options

  • org.apache.tomcat:tomcat-coyote
    • >8.5.85, <8.5.88 → Upgrade to 8.5.88
  • org.apache.tomcat:tomcat-coyote
    • >9.0.0-M1, <9.0.71 → Upgrade to 9.0.71
  • org.apache.tomcat:tomcat-coyote
    • >10.1.0-M1, <10.1.5 → Upgrade to 10.1.5
  • org.apache.tomcat:tomcat-coyote
    • >11.0.0-M2, <11.0.0-M5 → Upgrade to 11.0.0-M5
  • commons-fileupload:commons-fileupload
    • <1.5 → Upgrade to 1.5
  • org.apache.tomcat.embed:tomcat-embed-core
    • >8.5.85, <8.5.88 → Upgrade to 8.5.88
  • org.apache.tomcat.embed:tomcat-embed-core
    • >9.0.0-M1, <9.0.71 → Upgrade to 9.0.71
  • org.apache.tomcat.embed:tomcat-embed-core
    • >10.1.0-M1, <10.1.5 → Upgrade to 10.1.5
  • org.apache.tomcat.embed:tomcat-embed-core
    • >11.0.0-M2, <11.0.0-M5 → Upgrade to 11.0.0-M5

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2023-24998?

Similar Vulnerabilities: CVE-2019-10025 , CVE-2014-0050 , CVE-2022-22965 , CVE-2016-0738 , CVE-2018-8032

All Rights reserved 2025
Privacy Policy