PT-2023-2276 · Apache+8 · Apache Commons Fileupload+9

Jakob Ackermann

·

Published

2023-01-19

·

Updated

2026-05-18

·

CVE-2023-24998

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Apache Commons FileUpload versions prior to 1.5
Description The issue is related to the unlimited distribution of resources, which can be exploited by an attacker to trigger a denial of service (DoS) with a malicious upload or series of uploads. This can be achieved by not limiting the number of request parts to be processed. A new configuration option, FileUploadBase#setFileCountMax, is available but not enabled by default and must be explicitly configured.
Recommendations To resolve the issue, update Apache Commons FileUpload to version 1.5 or later. As a temporary workaround, consider explicitly configuring the FileUploadBase#setFileCountMax option to limit the number of request parts processed.

Exploit

Fix

DoS

RCE

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

ALSA-2023:6570
ALSA-2023:7065
ALSA-2023_6570
ALSA-2023_7065
ALSA-2024_1134
ALSA-2024_1444
ALSA-2025_14177
ALSA-2025_14181
ALSA-2025_16880
ALT-PU-2025-9146
BDU:2023-02037
CESA-2023_7065
CLEANSTART-2026-AJ47488
CLEANSTART-2026-AM95501
CLEANSTART-2026-CD66042
CLEANSTART-2026-GR86205
CLEANSTART-2026-KB11938
CLEANSTART-2026-MR27796
CLEANSTART-2026-RH10099
CLEANSTART-2026-RK94800
CLEANSTART-2026-SJ80413
CLEANSTART-2026-TN71701
CLEANSTART-2026-UZ56639
CLEANSTART-2026-XI02879
CLEANSTART-2026-XP03839
CLEANSTART-2026-XP58111
CVE-2023-24998
DLA-3617-1
DLA-4245-1
DSA-5522-1
ELSA-2023-6570
ELSA-2023-7065
GHSA-HFRX-6QGJ-FP6C
MGASA-2023-0070
MGASA-2023-0138
OESA-2023-1155
OESA-2024-1100
OPENSUSE-SU-2024:12750-1
OPENSUSE-SU-2024:12950-1
OPENSUSE-SU-2024:13441-1
RHSA-2023:3299
RHSA-2023:4909
RHSA-2023:6570
RHSA-2023:7065
RHSA-2023_6570
RHSA-2023_7065
SUSE-SU-2023:0695-1
SUSE-SU-2023:0696-1
SUSE-SU-2023:0697-1
SUSE-SU-2023:0730-1
SUSE-SU-2023:0758-1
SUSE-SU-2023:1769-1
SUSE-SU-2023:2390-1
SUSE-SU-2023:2505-1
SUSE-SU-2023_0695-1
SUSE-SU-2023_0696-1
SUSE-SU-2023_0697-1
SUSE-SU-2023_0730-1
SUSE-SU-2023_0758-1
SUSE-SU-2023_1769-1
SUSE-SU-2023_2318-1
SUSE-SU-2023_2319-1
SUSE-SU-2023_2390-1
SUSE-SU-2023_2504-1
SUSE-SU-2023_2505-1
SUSE-SU-2026:1058-1

Affected Products

Alt Linux
Almalinux
Apache Commons Fileupload
Apache Tomcat
Astra Linux
Centos
Debian
Red Hat
Red Os
Suse