CVE-2023-24998
Published: 20 February 2023
Summary
CVE-2023-24998 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Apache Commons Fileupload. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Apache Commons FileUpload before version 1.5 is affected by a denial-of-service vulnerability in which the library imposes no limit on the number of request parts that will be processed during a multipart upload. The flaw is tracked as CWE-770 and carries a CVSS 3.1 base score of 7.5, reflecting network attackability without authentication or user interaction and a high impact on availability.
An unauthenticated remote attacker can submit a single malicious multipart request or a sustained series of such requests containing an excessive number of parts. Because the component continues to allocate resources for every part, the target application or service can be driven into resource exhaustion, resulting in a denial of service.
Advisories from the Apache project, Debian, and Gentoo indicate that the issue is resolved in FileUpload 1.5 by the addition of the FileUploadBase#setFileCountMax configuration option; however, the limit is not enabled by default and must be explicitly set by integrators. Corresponding package updates have been issued for affected distributions, including Debian DSA-5522 and Gentoo GLSA-202305-37.
The CVE’s EPSS score reached a peak of 0.5353 before receding to its current value of 0.3774, indicating measurable post-disclosure interest in exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-0720
Vulnerability details
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the…
more
file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.
Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.
Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.
Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.
Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling.
Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.
Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.
Imposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections.