You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2023/03/16 09:04:13 UTC
Re: CVE-2023-24998 : Apache Denial of Service
On 16/03/2023 05:33, S Abirami wrote:
> Hi All,
>
> Currently, In our product we are using 9.0.65 version of Tomcat.
> We are not using FileUpload option in any of our application and in Servlet.
> We don't have any config to limit the file uploads also.
>
> Whether our attacker still able to perform a malicious upload to our server via url.
> Please let me know you input regarding this CVE-2023-24998 vulnerability. Whether our application is vulnerable (or) not.
If the application has not enabled Tomcat's built-in support for
processing request bodies with content type "multipart/form-data" then
the application is not exposed to CVE-2023-24998.
Applications enable this support via the "@MultipartConfig" annotation
and/or the "multipart-config" element in web.xml
Note that any frameworks you may be using may enable this processing.
Check the documentation for the framework.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: CVE-2023-24998 : Apache Denial of Service
Posted by S Abirami <s....@ericsson.com.INVALID>.
Thanks Mark
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Thursday, March 16, 2023 2:34 PM
To: users@tomcat.apache.org
Subject: Re: CVE-2023-24998 : Apache Denial of Service
On 16/03/2023 05:33, S Abirami wrote:
> Hi All,
>
> Currently, In our product we are using 9.0.65 version of Tomcat.
> We are not using FileUpload option in any of our application and in Servlet.
> We don't have any config to limit the file uploads also.
>
> Whether our attacker still able to perform a malicious upload to our server via url.
> Please let me know you input regarding this CVE-2023-24998 vulnerability. Whether our application is vulnerable (or) not.
If the application has not enabled Tomcat's built-in support for processing request bodies with content type "multipart/form-data" then the application is not exposed to CVE-2023-24998.
Applications enable this support via the "@MultipartConfig" annotation and/or the "multipart-config" element in web.xml
Note that any frameworks you may be using may enable this processing.
Check the documentation for the framework.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org