You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by S Abirami <s....@ericsson.com.INVALID> on 2023/03/15 09:09:56 UTC
CVE-2023-24998 : Apache Denial of Service
Hi All,
Currently, In our product we are using 9.0.65 version of Tomcat.
We are not using FileUpload option in any of our application and in Servlet.
We don't have any config to limit the file uploads also.
Whether our attacker still able to perform a malicious upload to our server via url.
Please let me know you input regarding this CVE-2023-24998 vulnerability. Whether our application is vulnerable (or) not.
Regards,
Abirami.S
RE: CVE-2023-24998 : Apache Denial of Service
Posted by S Abirami <s....@ericsson.com.INVALID>.
Thanks Mark
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Thursday, March 16, 2023 2:34 PM
To: users@tomcat.apache.org
Subject: Re: CVE-2023-24998 : Apache Denial of Service
On 16/03/2023 05:33, S Abirami wrote:
> Hi All,
>
> Currently, In our product we are using 9.0.65 version of Tomcat.
> We are not using FileUpload option in any of our application and in Servlet.
> We don't have any config to limit the file uploads also.
>
> Whether our attacker still able to perform a malicious upload to our server via url.
> Please let me know you input regarding this CVE-2023-24998 vulnerability. Whether our application is vulnerable (or) not.
If the application has not enabled Tomcat's built-in support for processing request bodies with content type "multipart/form-data" then the application is not exposed to CVE-2023-24998.
Applications enable this support via the "@MultipartConfig" annotation and/or the "multipart-config" element in web.xml
Note that any frameworks you may be using may enable this processing.
Check the documentation for the framework.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: CVE-2023-24998 : Apache Denial of Service
Posted by Mark Thomas <ma...@apache.org>.
On 16/03/2023 05:33, S Abirami wrote:
> Hi All,
>
> Currently, In our product we are using 9.0.65 version of Tomcat.
> We are not using FileUpload option in any of our application and in Servlet.
> We don't have any config to limit the file uploads also.
>
> Whether our attacker still able to perform a malicious upload to our server via url.
> Please let me know you input regarding this CVE-2023-24998 vulnerability. Whether our application is vulnerable (or) not.
If the application has not enabled Tomcat's built-in support for
processing request bodies with content type "multipart/form-data" then
the application is not exposed to CVE-2023-24998.
Applications enable this support via the "@MultipartConfig" annotation
and/or the "multipart-config" element in web.xml
Note that any frameworks you may be using may enable this processing.
Check the documentation for the framework.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
CVE-2023-24998 : Apache Denial of Service
Posted by S Abirami <s....@ericsson.com.INVALID>.
Hi All,
Currently, In our product we are using 9.0.65 version of Tomcat.
We are not using FileUpload option in any of our application and in Servlet.
We don't have any config to limit the file uploads also.
Whether our attacker still able to perform a malicious upload to our server via url.
Please let me know you input regarding this CVE-2023-24998 vulnerability. Whether our application is vulnerable (or) not.
Regards,
Abirami.S
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org