7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-24998

GHSA ID

GHSA-hfrx-6qgj-fp6c

EPSS Score

0.97228%

CWE

CWE-770

Published

2/20/2023

Updated

2/13/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-24998

CVE-2023-24998: Apache Commons FileUpload denial of service vulnerability

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-24998

GHSA ID

GHSA-hfrx-6qgj-fp6c

EPSS Score

0.97228%

CWE

CWE-770

Published

2/20/2023

Updated

2/13/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
commons-fileupload:commons-fileupload	maven	< 1.5	1.5
org.apache.tomcat:tomcat-coyote	maven	>= 10.1.0-M1, < 10.1.5	10.1.5
org.apache.tomcat:tomcat-coyote	maven	>= 11.0.0-M2, < 11.0.0-M5	11.0.0-M5
org.apache.tomcat:tomcat-coyote	maven	>= 8.5.85, < 8.5.88	8.5.88
org.apache.tomcat:tomcat-coyote	maven	>= 9.0.0-M1, < 9.0.71	9.0.71
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 10.1.0-M1, < 10.1.5	10.1.5
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 11.0.0-M2, < 11.0.0-M5	11.0.0-M5
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 8.5.85, < 8.5.88	8.5.88
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 9.0.0-M1, < 9.0.71	9.0.71

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing file count limit checks in multipart request processing. The GitHub commit e20c049 shows the critical addition of fileCountMax validation in FileUploadBase.parseRequest(). Pre-patch code (seen in diff lines 337-373) processes parts in a while(iter.hasNext()) loop without checking items.size() against a limit. Tomcat's CVE-2023-24998 advisory confirms they used vulnerable FileUpload code. The Tomcat commit 9ca96c8 shows identical fixes in their fork, confirming equivalent vulnerable functions exist in their codebase.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** *ommons *il*Uplo** ***or* *.* *o*s not limit t** num**r o* r*qu*st p*rts to ** pro**ss** r*sultin* in t** possi*ility o* *n *tt**k*r tri***rin* * *oS wit* * m*li*ious uplo** or s*ri*s o* uplo**s. Not* t**t, lik* *ll o* t** *il* uplo** limits,

Reasoning

T** vuln*r**ility st*ms *rom missin* *il* *ount limit ****ks in multip*rt r*qu*st pro**ssin*. T** *it*u* *ommit `*******` s*ows t** *riti**l ***ition o* `*il**ountM*x` v*li**tion in `*il*Uplo****s*.p*rs*R*qu*st()`. Pr*-p*t** *o** (s**n in *i** lin*s

7.5

Basic Information

Concerned about an active attack path?

CVE-2023-24998: Apache Commons FileUpload denial of service vulnerability

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI