CVE-2023-24998 - Denial of Service (DoS)
Severity: High2023-04-06
Abstract
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
The Oxygen products incorporate Apache Commons FileUpload as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen XML Web Author v25.0.0.3 and older | High | Oxygen XML Web Author 25.1 build 2023031320 |
Detail
CVE-2023-24998
Severity: High
CVSS Score: 7.5
The Apache Commons FileUpload third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-24998 vulnerability description.
Starting with Oxygen XML Web Author v25.1 build 2023031320 Apache Tomcat library was updated to v9.0.73 which fixes this vulnerability.