You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tomee.apache.org by "Richard Zowalla (Jira)" <ji...@apache.org> on 2023/04/25 18:29:00 UTC

[jira] [Updated] (TOMEE-4187) Commons FileUpload 1.5

     [ https://issues.apache.org/jira/browse/TOMEE-4187?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Richard Zowalla updated TOMEE-4187:
-----------------------------------
    Fix Version/s: 9.1.0

> Commons FileUpload 1.5
> ----------------------
>
>                 Key: TOMEE-4187
>                 URL: https://issues.apache.org/jira/browse/TOMEE-4187
>             Project: TomEE
>          Issue Type: Dependency upgrade
>    Affects Versions: 9.0.0, 8.0.14
>            Reporter: Richard Zowalla
>            Assignee: Richard Zowalla
>            Priority: Major
>              Labels: CVE
>             Fix For: 10.0.0, 9.0.1, 8.0.15, 9.1.0
>
>
> Versions Affected:
> Apache Commons FileUpload 1.0-beta-1 to 1.4
> Description:
> Apache Commons FileUpload before 1.5 does not limit the number of 
> request parts to be processed resulting in the possibility of an 
> attacker triggering a DoS with a malicious upload or series of uploads.
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Commons FileUpload 1.5 or later
> Credit:
> This issue was identified by Jakob Ackermann and reported responsibly to 
> the Apache Commons Security Team.
> History:
> 2023-02-20 Original advisory



--
This message was sent by Atlassian Jira
(v8.20.10#820010)