You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tapestry.apache.org by "Bob Harner (JIRA)" <ji...@apache.org> on 2014/03/03 17:11:22 UTC

[jira] [Resolved] (TAP5-2295) Exploit found in commons-file-upload < 1.3.1

     [ https://issues.apache.org/jira/browse/TAP5-2295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Bob Harner resolved TAP5-2295.
------------------------------

       Resolution: Fixed
    Fix Version/s: 5.3.8
                   5.4

> Exploit found in commons-file-upload < 1.3.1
> --------------------------------------------
>
>                 Key: TAP5-2295
>                 URL: https://issues.apache.org/jira/browse/TAP5-2295
>             Project: Tapestry 5
>          Issue Type: Dependency upgrade
>          Components: tapestry-upload
>    Affects Versions: 5.3.5, 5.3.6, 5.3.7, 5.4, 5.2.0
>            Reporter: jose luis sanchez
>            Assignee: Bob Harner
>              Labels: bug, commons-file-upload, security, tapestry-upload
>             Fix For: 5.4, 5.3.8
>
>
> Just found that commons-file-upload < 1.3.1 has a bug that can create a DOS attack .
> For more information, see 
> http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html
> I do believe commons-file-upload 1.2.2 it's been used in tapestry-upload since version 5.2 at least, or even older.
> So recommended option is to update dependency to commons-file-upload-1.3.1.jar



--
This message was sent by Atlassian JIRA
(v6.2#6252)