You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by "jose luis sanchez (JIRA)" <ji...@apache.org> on 2014/02/28 10:17:19 UTC
[jira] [Created] (TAP5-2295) Exploit found in commons-file-upload <
1.3.1
jose luis sanchez created TAP5-2295:
---------------------------------------
Summary: Exploit found in commons-file-upload < 1.3.1
Key: TAP5-2295
URL: https://issues.apache.org/jira/browse/TAP5-2295
Project: Tapestry 5
Issue Type: Dependency upgrade
Components: tapestry-upload
Affects Versions: 5.2.0, 5.3.6, 5.3.5, 5.3.7, 5.4
Reporter: jose luis sanchez
Just found that commons-file-upload < 1.3.1 has a bug that can create a DOS attack .
For more information, see
http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html
I do believe commons-file-upload 1.2.2 it's been used in tapestry-upload since version 5.2 at least, or even older.
So recommended option is to update dependency to commons-file-upload-1.3.1.jar
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)