{"id":"CVE-2023-24998","details":"Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.\n\n\n\n\nNote that, like all of the file upload limits, the\n          new configuration option (FileUploadBase#setFileCountMax) is not\n          enabled by default and must be explicitly configured.","aliases":["GHSA-hfrx-6qgj-fp6c"],"modified":"2026-04-11T12:45:41.978242Z","published":"2023-02-20T16:15:10.423Z","related":["ALSA-2023:6570","ALSA-2023:7065","CGA-pj4r-m49c-rmj4","MGASA-2023-0070","MGASA-2023-0138","SUSE-SU-2023:0695-1","SUSE-SU-2023:0696-1","SUSE-SU-2023:0697-1","SUSE-SU-2023:0730-1","SUSE-SU-2023:0758-1","SUSE-SU-2023:1769-1","SUSE-SU-2023:2390-1","SUSE-SU-2023:2505-1","SUSE-SU-2026:1058-1","openSUSE-SU-2024:12750-1","openSUSE-SU-2024:12950-1","openSUSE-SU-2024:13441-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","extracted_events":[{"last_affected":"1.0-beta"}],"cpe":"cpe:2.3:a:apache:commons_fileupload:1.0:beta:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"11.0"}],"cpe":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"9.0"}],"cpe":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"}]},"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202305-37"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20230302-0013/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20241108-0002/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2023/dsa-5522"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2023/05/22/1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/commons-fileupload","events":[{"introduced":"cdfbeaa120cba6a8f1527b91600317ee374450c2"},{"fixed":"1d9a750e5091b6e36aa81c2277200a4b2b5ecd8a"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"1.0"},{"fixed":"1.5"}],"cpe":"cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*"}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-24998.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}