Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
See CWE-770: Allocation of Resources Without Limits or Throttling
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
| Product version |
Mitigation |
| Vaadin 10.0.0 - 10.0.21 |
Upgrade to 10.0.22 (Vaadin extended maintenance starting from June 2023) |
| Vaadin 11.0.0 - 14.9.6 |
Upgrade to 14.9.7 or newer |
| Vaadin 15.0.0 - 22.0.28 |
Upgrade to 22.1.0 (Vaadin extended maintenance starting from March 2023) |
| Vaadin 23.0.0 - 23.3.7 |
Upgrade to 23.3.8 or newer |
Please note that Vaadin versions 11-13 and 15-22.0 are no longer supported and you should update either to the latest 14, 22.1, 23, 24 version.
Artifacts
| Maven coordinates |
Vulnerable version |
Fixed version |
| com.vaadin:flow-server |
1.0.0 - 1.0.17 |
≥1.0.18 |
| com.vaadin:flow-server |
1.1.0 - 2.8.5 |
≥2.8.6 |
| com.vaadin:flow-server |
3.0.0 - 9.0.26 |
≥9.1.0 |
| com.vaadin:flow-server |
23.0.0 - 23.3.4 |
≥23.3.5 |
| com.vaadin:flow-server |
24.0.0.alpha1 - 24.0.rc3 |
≥24.0.0 |
References
Original CVE: nvd.nist.gov/vuln/detail/CVE-2023-24998
Vendor advisory: lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy