AboutNewsEventsPartnersContact us
Software
Service
Insights
Case & Story
Dev Platform
EN
Sign In
Public Notices
Apache Commons FileUpload & Tomcat DoS Vulnerability (CVE-2023-24998)
Feb 24, 2023 GMT+08:00
1.Overview

Recently, Apache Commons has released an official security advisory, disclosing a DoS vulnerability (CVE-2023-24998) in Apache Commons FileUpload versions earlier than 1.5. Apache Commons FileUpload does not limit the number of request parts to be processed, resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.

Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification. Therefore, Apache Tomcat is also affected by CVE-2023-24998.

Commons FileUpload is a free upload component provided by Apache. If you are an Apache Commons FileUpload user, check your system and implement timely security hardening.

Reference:

https://commons.apache.org/proper/commons-fileupload/security-reports.html

https://tomcat.apache.org/security-10.html

2.Severity

Severity: important

(Severity: low, moderate, important, and critical)

3.Affected Products

Affected versions:

Apache Commons FileUpload 1.0-beta-1 - 1.4

Apache Tomcat 11.0.0-M1

Apache Tomcat 10.1.0-M1 - 10.1.4

Apache Tomcat 9.0.0-M1 - 9.0.70

Apache Tomcat 8.5.0 - 8.5.84

Secure versions:

Apache Commons FileUpload >= 1.5

Apache Tomcat >= 11.0.0-M3

Apache Tomcat >= 10.1.5

Apache Tomcat >= 9.0.71

Apache Tomcat >= 8.5.85

Apache Commons FileUpload is vulnerable only when both of the following conditions are met:

1) The Commons-FileUpload package of the affected version is used.

2) The number and size of files to be uploaded are not limited when org.apache.commons.fileupload is invoked or when commons-fileupload is re-encapsulated.

Apache Tomcat is vulnerable only when both of the following conditions are met:

1) The Tomcat version is affected.

2) The number and size of files to be uploaded are not limited when the org.apache.tomcat.util.http.fileupload function is invoked.

4.Vulnerability Handling

This vulnerability has been fixed in later official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

https://commons.apache.org/proper/commons-fileupload/download_fileupload.cgi

https://tomcat.apache.org/index.html

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.

5.Technical Support

Get more professional support at any time

Contact Us

Email: GlobalTechnicalService@iwhalecloud.com
SOLUTIONS & PRODUCTS
Customer Engagement Enabler
Digital BSS
Telco Operation & Consulting Services
Cloud for Telcos
Super Enterprise Workspace
Digital Commerce Cloud
Alipay+
5G Operation
Insights
News
Events
About Us
Sitemap
Contact Us
bol@iwhalecloud.com
(86) 25-66669555
Copyright © 2025 Whale Cloud Technology Co., Ltd.
Privacy PolicyCookies Policy
Contact Us