You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2023/03/16 09:04:13 UTC

Re: CVE-2023-24998 : Apache Denial of Service

On 16/03/2023 05:33, S Abirami wrote:
> Hi All,
> 
> Currently, In our product we are using 9.0.65 version of Tomcat.
> We are not using FileUpload option in any of our application and in Servlet.
> We don't have any config to limit the file uploads also.
> 
> Whether our attacker still able to perform a malicious upload to our server via url.
> Please let me know you input regarding this CVE-2023-24998 vulnerability. Whether our application is vulnerable (or) not.

If the application has not enabled Tomcat's built-in support for 
processing request bodies with content type "multipart/form-data" then 
the application is not exposed to CVE-2023-24998.

Applications enable this support via the "@MultipartConfig" annotation 
and/or the "multipart-config" element in web.xml

Note that any frameworks you may be using may enable this processing. 
Check the documentation for the framework.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: CVE-2023-24998 : Apache Denial of Service

Posted by S Abirami <s....@ericsson.com.INVALID>.

Thanks Mark

-----Original Message-----
From: Mark Thomas <ma...@apache.org> 
Sent: Thursday, March 16, 2023 2:34 PM
To: users@tomcat.apache.org
Subject: Re: CVE-2023-24998 : Apache Denial of Service

On 16/03/2023 05:33, S Abirami wrote:
> Hi All,
> 
> Currently, In our product we are using 9.0.65 version of Tomcat.
> We are not using FileUpload option in any of our application and in Servlet.
> We don't have any config to limit the file uploads also.
> 
> Whether our attacker still able to perform a malicious upload to our server via url.
> Please let me know you input regarding this CVE-2023-24998 vulnerability. Whether our application is vulnerable (or) not.

If the application has not enabled Tomcat's built-in support for processing request bodies with content type "multipart/form-data" then the application is not exposed to CVE-2023-24998.

Applications enable this support via the "@MultipartConfig" annotation and/or the "multipart-config" element in web.xml

Note that any frameworks you may be using may enable this processing. 
Check the documentation for the framework.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org