Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| commons-fileupload:commons-fileupload(Maven) | 0 | 1.5 | N/A |
| org.apache.tomcat:tomcat-coyote(Maven) | 10.1.0-M1 | 10.1.5 | N/A |
| org.apache.tomcat:tomcat-coyote(Maven) | 11.0.0-M2 | 11.0.0-M5 | N/A |
| org.apache.tomcat:tomcat-coyote(Maven) | 8.5.85 | 8.5.88 | N/A |
| org.apache.tomcat:tomcat-coyote(Maven) | 9.0.0-M1 | 9.0.71 | N/A |
| org.apache.tomcat.embed:tomcat-embed-core(Maven) | 10.1.0-M1 | 10.1.5 | N/A |
| org.apache.tomcat.embed:tomcat-embed-core(Maven) | 11.0.0-M2 | 11.0.0-M5 | N/A |
| org.apache.tomcat.embed:tomcat-embed-core(Maven) | 8.5.85 | 8.5.88 | N/A |
| org.apache.tomcat.embed:tomcat-embed-core(Maven) | 9.0.0-M1 | 9.0.71 | N/A |
CVSS Metrics
