{"api_version":"1","generated_at":"2026-04-22T21:02:45+00:00","cve":"CVE-2023-24998","urls":{"html":"https://cve.report/CVE-2023-24998","api":"https://cve.report/api/cve/CVE-2023-24998.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-24998","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-24998"},"summary":{"title":"CVE-2023-24998","description":"Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.\n\n\n\n\nNote that, like all of the file upload limits, the\n          new configuration option (FileUploadBase#setFileCountMax) is not\n          enabled by default and must be explicitly configured.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2023-02-20 16:15:00","updated_at":"2023-10-13 16:15:00"},"problem_types":["CWE-770"],"metrics":[],"references":[{"url":"https://www.debian.org/security/2023/dsa-5522","name":"https://www.debian.org/security/2023/dsa-5522","refsource":"MISC","tags":[],"title":"Debian -- Security Information -- DSA-5522-1 tomcat9","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html","name":"https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html","refsource":"MISC","tags":[],"title":"[SECURITY] [DLA 3617-1] tomcat9 security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2023/05/22/1","name":"http://www.openwall.com/lists/oss-security/2023/05/22/1","refsource":"MISC","tags":[],"title":"oss-security - CVE-2023-28709 Apache Tomcat - Fix for CVE-2023-24998 was\n incomplete","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202305-37","name":"https://security.gentoo.org/glsa/202305-37","refsource":"MISC","tags":[],"title":"Apache Tomcat: Multiple Vulnerabilities (GLSA 202305-37) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy","name":"https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy","refsource":"MISC","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-24998","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-24998","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"24998","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"commons_fileupload","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"24998","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"commons_fileupload","cpe6":"1.0","cpe7":"beta","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-24998","qid":"150676","title":"Oracle WebLogic Server Multiple Vulnerabilities (APR-2023)"},{"cve":"CVE-2023-24998","qid":"150687","title":"Apache Tomcat FileUpload Denial Of Service (DoS) Vulnerability (CVE-2023-24998)"},{"cve":"CVE-2023-24998","qid":"161103","title":"Oracle Enterprise Linux Security Update for tomcat (ELSA-2023-6570)"},{"cve":"CVE-2023-24998","qid":"161166","title":"Oracle Enterprise Linux Security Update for tomcat (ELSA-2023-7065)"},{"cve":"CVE-2023-24998","qid":"184748","title":"Debian Security Update for tomcat9libcommons-fileupload-javatomcat10 (CVE-2023-24998)"},{"cve":"CVE-2023-24998","qid":"20341","title":"Oracle Database 19c Critical Patch Update - April 2023"},{"cve":"CVE-2023-24998","qid":"20342","title":"Oracle Database 21c Critical Patch Update - April 2023"},{"cve":"CVE-2023-24998","qid":"20343","title":"Oracle Database 19c Critical OJVM Patch Update - April 2023"},{"cve":"CVE-2023-24998","qid":"20354","title":"Oracle Database 19c Critical Patch Update - July 2023"},{"cve":"CVE-2023-24998","qid":"20355","title":"Oracle Database 21c Critical Patch Update - July 2023"},{"cve":"CVE-2023-24998","qid":"20356","title":"Oracle Database 19c Critical OJVM Patch Update - July 2023"},{"cve":"CVE-2023-24998","qid":"242102","title":"Red Hat Update for red hat jboss web server 5.7.4 (RHSA-2023:4909)"},{"cve":"CVE-2023-24998","qid":"242313","title":"Red Hat Update for tomcat (RHSA-2023:6570)"},{"cve":"CVE-2023-24998","qid":"242462","title":"Red Hat Update for tomcat (RHSA-2023:7065)"},{"cve":"CVE-2023-24998","qid":"354924","title":"Amazon Linux Security Advisory for tomcat7 : ALAS-2023-1738"},{"cve":"CVE-2023-24998","qid":"356243","title":"Amazon Linux Security Advisory for tomcat : ALASTOMCAT8.5-2023-013"},{"cve":"CVE-2023-24998","qid":"356298","title":"Amazon Linux Security Advisory for tomcat : ALASTOMCAT9-2023-008"},{"cve":"CVE-2023-24998","qid":"356454","title":"Amazon Linux Security Advisory for tomcat8 : ALAS-2023-1861"},{"cve":"CVE-2023-24998","qid":"378459","title":"IBM WebSphere Application Server Liberty Denial of Service (DoS) Vulnerability (6982047)"},{"cve":"CVE-2023-24998","qid":"378460","title":"IBM WebSphere Application Server Denial Of Service (DOS) Vulnerability (6982047)"},{"cve":"CVE-2023-24998","qid":"378672","title":"IBM MQ Denial of Service (DoS) Vulnerabilities (7007425)"},{"cve":"CVE-2023-24998","qid":"6000246","title":"Debian Security Update for tomcat9 (DSA 5522-1)"},{"cve":"CVE-2023-24998","qid":"6000257","title":"Debian Security Update for tomcat9 (DLA 3617-1)"},{"cve":"CVE-2023-24998","qid":"672870","title":"EulerOS Security Update for tomcat (EulerOS-SA-2023-1612)"},{"cve":"CVE-2023-24998","qid":"673096","title":"EulerOS Security Update for tomcat (EulerOS-SA-2023-2177)"},{"cve":"CVE-2023-24998","qid":"691093","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for jenkins (f68bb358-be8e-11ed-9215-00e081b7aa2d)"},{"cve":"CVE-2023-24998","qid":"710733","title":"Gentoo Linux Apache Tomcat Multiple Vulnerabilities (GLSA 202305-37)"},{"cve":"CVE-2023-24998","qid":"730732","title":"Apache Tomcat Denial of Service (DoS) Vulnerability (CVE-2023-24998)"},{"cve":"CVE-2023-24998","qid":"730733","title":"Apache Tomcat Denial of Service (DoS) Vulnerability (CVE-2023-24998)"},{"cve":"CVE-2023-24998","qid":"730734","title":"Apache Tomcat Denial of Service (DoS) Vulnerability (CVE-2023-24998)"},{"cve":"CVE-2023-24998","qid":"730753","title":"Jenkins Multiple Security Vulnerabilities (SECURITY-3030, SECURITY-2120)"},{"cve":"CVE-2023-24998","qid":"730810","title":"Apache Tomcat denial of service Vulnerability (CVE-2023-24998)"},{"cve":"CVE-2023-24998","qid":"730811","title":"Apache Tomcat denial of service Vulnerability (CVE-2023-24998)"},{"cve":"CVE-2023-24998","qid":"730812","title":"Apache Tomcat denial of service Vulnerability (CVE-2023-24998)"},{"cve":"CVE-2023-24998","qid":"730845","title":"IBM MQ Appliance Denial-of Service Vulnerability (7007743)"},{"cve":"CVE-2023-24998","qid":"730871","title":"Atlassian Confluence Server and Data Center Third-Party Dependency Vulnerability (CONFSERVER-90185)"},{"cve":"CVE-2023-24998","qid":"753764","title":"SUSE Enterprise Linux Security Update for tomcat (SUSE-SU-2023:0697-1)"},{"cve":"CVE-2023-24998","qid":"753765","title":"SUSE Enterprise Linux Security Update for tomcat (SUSE-SU-2023:0696-1)"},{"cve":"CVE-2023-24998","qid":"753773","title":"SUSE Enterprise Linux Security Update for jakarta-commons-fileupload (SUSE-SU-2023:0730-1)"},{"cve":"CVE-2023-24998","qid":"753805","title":"SUSE Enterprise Linux Security Update for jakarta-commons-fileupload (SUSE-SU-2023:0758-1)"},{"cve":"CVE-2023-24998","qid":"753891","title":"SUSE Enterprise Linux Security Update for tomcat (SUSE-SU-2023:1769-1)"},{"cve":"CVE-2023-24998","qid":"754070","title":"SUSE Enterprise Linux Security Update for apache-commons-fileupload (SUSE-SU-2023:2390-1)"},{"cve":"CVE-2023-24998","qid":"754094","title":"SUSE Enterprise Linux Security Update for tomcat (SUSE-SU-2023:2505-1)"},{"cve":"CVE-2023-24998","qid":"87542","title":"Oracle WebLogic Server Multiple Vulnerabilities (CPUAPR2023)"},{"cve":"CVE-2023-24998","qid":"941389","title":"AlmaLinux Security Update for tomcat (ALSA-2023:6570)"},{"cve":"CVE-2023-24998","qid":"941469","title":"AlmaLinux Security Update for tomcat (ALSA-2023:7065)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-24998","ASSIGNER":"security@apache.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.\n\n\n\n\nNote that, like all of the file upload limits, the\n          new configuration option (FileUploadBase#setFileCountMax) is not\n          enabled by default and must be explicitly configured.\n\n\n"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-770 Allocation of Resources Without Limits or Throttling","cweId":"CWE-770"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Apache Software Foundation","product":{"product_data":[{"product_name":"Apache Commons FileUpload","version":{"version_data":[{"version_affected":"<","version_name":"0","version_value":"1.5"}]}},{"product_name":"Apache Tomcat","version":{"version_data":[{"version_affected":"=","version_value":"11.0.0-M1"},{"version_affected":"<=","version_name":"10.0.0-M1","version_value":"10.1.4"},{"version_affected":"<=","version_name":"9.0.0-M1","version_value":"9.0.70"},{"version_affected":"<=","version_name":"8.5.0","version_value":"8.5.84"}]}}]}}]}},"references":{"reference_data":[{"url":"https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy","refsource":"MISC","name":"https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy"},{"url":"http://www.openwall.com/lists/oss-security/2023/05/22/1","refsource":"MISC","name":"http://www.openwall.com/lists/oss-security/2023/05/22/1"},{"url":"https://security.gentoo.org/glsa/202305-37","refsource":"MISC","name":"https://security.gentoo.org/glsa/202305-37"},{"url":"https://www.debian.org/security/2023/dsa-5522","refsource":"MISC","name":"https://www.debian.org/security/2023/dsa-5522"},{"url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html","refsource":"MISC","name":"https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"}]},"generator":{"engine":"Vulnogram 0.1.0-dev"},"source":{"discovery":"EXTERNAL"},"credits":[{"lang":"en","value":"Jakob Ackermann"}]},"nvd":{"publishedDate":"2023-02-20 16:15:00","lastModifiedDate":"2023-10-13 16:15:00","problem_types":["CWE-770"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*","versionStartIncluding":"1.0","versionEndExcluding":"1.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:commons_fileupload:1.0:beta:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}