Jakob Ackermann

**Name of the Vulnerable Software and Affected Versions** net/textproto versions (affected versions not specified) **Description** The issue is related to HTTP and MIME header parsing, which can allocate large amounts of memory even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Golang (affected versions not specified) **Description** The issue is related to the consumption of large amounts of CPU and memory when processing form inputs containing a large number of parts. This can be caused by several factors, including the undercounting of memory consumption by `mime/multipart.Reader.ReadForm`, increased pressure on the garbage collector from small allocations, and the allocation of short-lived buffers. An attacker can exploit this to cause a denial of service. The issue affects programs that use `mime/multipart.Reader.ReadForm` and form parsing in the `net/http` package with methods like `FormFile`, `FormValue`, `ParseMultipartForm`, and `PostFormValue`. **Recommendations** To resolve the issue, update the `mime/multipart` package to a version that includes the fix for the issue. As a temporary workaround, consider setting environment variables `GODEBUG=multipartmaxparts=` and `GODEBUG=multipartmaxheaders=` to limit the size of parsed forms and the number of header fields, respectively. Restrict access to the `mime/multipart.Reader.ReadForm` function and the `net/http` package's form parsing methods to minimize the risk of exploitation. Avoid using the `FormFile`, `FormValue`, `ParseMultipartForm`, and `PostFormValue` methods in the `net/http` package until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.393 and earlier Jenkins LTS versions 2.375.3 and earlier **Description** The issue is related to the use of the Apache Commons FileUpload library without specifying limits for the number of request parts, allowing attackers to trigger a denial of service. This library is used to process uploaded files via the Stapler web framework and MultipartFormDataParser in Jenkins. Attackers can cause a denial of service by sending crafted requests to HTTP endpoints processing file uploads. **Recommendations** For Jenkins versions 2.393 and earlier, update to version 2.394 or later to limit the number of request parts to be processed. For Jenkins LTS versions 2.375.3 and earlier, update to version 2.375.4 or later to limit the number of request parts to be processed. As a temporary workaround, consider restricting access to HTTP endpoints that process file uploads to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.393 and earlier Jenkins LTS versions 2.375.3 and earlier **Description** The issue allows attackers to trigger a denial of service by exploiting the Apache Commons FileUpload library without specified limits for the number of request parts in org.kohsuke.stapler.RequestImpl. **Recommendations** For Jenkins versions 2.393 and earlier, update to a version that includes the fix for the denial of service issue. For Jenkins LTS versions 2.375.3 and earlier, update to a version that includes the fix for the denial of service issue. As a temporary workaround, consider restricting the number of request parts in the Apache Commons FileUpload library to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GoLang net/http and mime/multipart (affected versions not specified) **Description** A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with `mime/multipart.Reader.ReadForm` can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods `FormFile`, `FormValue`, `ParseMultipartForm`, and `PostFormValue`. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, `ReadForm` did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, `ReadForm` contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With the fix, `ReadForm` now properly accounts for various forms of memory overhead and creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. **Recommendations** To resolve the issue, users should update their GoLang net/http and mime/multipart packages to the latest version. As a temporary workaround, consider using the environment variable `GODEBUG=multipartfiles=distinct` to reenable the previous behavior of using distinct files for each form part. Restrict access to the `mime/multipart.Reader.ReadForm` function to minimize the risk of exploitation. Callers can limit the size of form data with `http.MaxBytesReader`. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHP versions 8.0.0 through 8.0.27 PHP versions 8.1.0 through 8.1.15 PHP versions 8.2.0 through 8.2.2 **Description** The issue is related to an excessive number of parts in HTTP form upload, which can cause high resource consumption and excessive number of log entries. This can lead to denial of service on the affected server by exhausting CPU resources or disk space. The vulnerability is associated with uncontrolled resource consumption and can be exploited by a remote attacker to cause a denial of service. **Recommendations** For PHP versions 8.0.0 through 8.0.27, update to version 8.0.28 or later. For PHP versions 8.1.0 through 8.1.15, update to version 8.1.16 or later. For PHP versions 8.2.0 through 8.2.2, update to version 8.2.3 or later. As a temporary workaround, consider restricting the number of parts in HTTP form uploads to prevent excessive resource consumption.

**Name of the Vulnerable Software and Affected Versions** Django versions 3.2 before 3.2.18 Django versions 4.0 before 4.0.10 Django versions 4.1 before 4.1.7 **Description** The issue is related to an uncontrolled resource consumption in the Django web application platform. Exploitation of this issue could allow a remote attacker to cause a denial-of-service. The vulnerability is in the Multipart Request Parser, where passing certain inputs, such as an excessive number of parts to multipart forms, could result in too many open files or memory exhaustion, providing a potential vector for a denial-of-service attack. **Recommendations** For Django versions 3.2 before 3.2.18, update to version 3.2.18 or later. For Django versions 4.0 before 4.0.10, update to version 4.0.10 or later. For Django versions 4.1 before 4.1.7, update to version 4.1.7 or later.

**Name of the Vulnerable Software and Affected Versions** Apache Commons FileUpload versions prior to 1.5 **Description** The issue is related to the unlimited distribution of resources, which can be exploited by an attacker to trigger a denial of service (DoS) with a malicious upload or series of uploads. This can be achieved by not limiting the number of request parts to be processed. A new configuration option, `FileUploadBase#setFileCountMax`, is available but not enabled by default and must be explicitly configured. **Recommendations** To resolve the issue, update Apache Commons FileUpload to version 1.5 or later. As a temporary workaround, consider explicitly configuring the `FileUploadBase#setFileCountMax` option to limit the number of request parts processed.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.3.11 and earlier, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, 2.7.x before 2.7.1 **Description** The issue allows remote authenticated users to bypass intended access restrictions by leveraging two or more group memberships, due to the failure of `mod/forum/classes/post form.php` to enforce the `moodle/site:accessallgroups` capability requirement before proceeding with a post to all groups. **Recommendations** For Moodle versions 2.3.11 and earlier, update to version 2.4.11 or later. For Moodle versions 2.4.x before 2.4.11, update to version 2.4.11 or later. For Moodle versions 2.5.x before 2.5.7, update to version 2.5.7 or later. For Moodle versions 2.6.x before 2.6.4, update to version 2.6.4 or later. For Moodle versions 2.7.x before 2.7.1, update to version 2.7.1 or later.