📂 Vulnerable Library - commons-fileupload-1.3.2.jar
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Library home page: http://www.apache.org/
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.2/commons-fileupload-1.3.2.jar
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2016-1000031 |
🟣 Critical |
9.3 |
Not Defined |
24.2% |
commons-fileupload-1.3.2.jar |
Direct |
commons-fileupload:commons-fileupload:1.3.3 |
✅ |
 Reachable |
| CVE-2023-24998 |
🔴 High |
8.7 |
Not Defined |
37.7% |
commons-fileupload-1.3.2.jar |
Direct |
commons-fileupload:commons-fileupload:1.5,org.apache.tomcat.embed:tomcat-embed-core:9.0.71,org.apache.tomcat:tomcat-coyote:11.0.0-M5,org.apache.tomcat.embed:tomcat-embed-core:10.1.5,org.apache.tomcat.embed:tomcat-embed-core:11.0.0-M5,org.apache.tomcat.embed:tomcat-embed-core:8.5.88,org.apache.tomcat:tomcat-coyote:8.5.88,org.apache.tomcat:tomcat-coyote:10.1.5,org.apache.tomcat:tomcat-coyote:9.0.71 |
✅ |
Reachable |
| WS-2014-0034 |
🔴 High |
7.5 |
N/A |
N/A |
commons-fileupload-1.3.2.jar |
Direct |
commons-fileupload:commons-fileupload:1.4 |
✅ |
Reachable |
| CVE-2021-29425 |
🟠 Medium |
6.3 |
Not Defined |
< 1% |
commons-io-2.4.jar |
Transitive |
N/A |
❌ |
Reachable |
Details
🟣CVE-2016-1000031
Vulnerable Library - commons-fileupload-1.3.2.jar
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Library home page: http://www.apache.org/
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.2/commons-fileupload-1.3.2.jar
Dependency Hierarchy:
- ❌ commons-fileupload-1.3.2.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- com.veracode.verademo.controller.UserController (Application)
- org.springframework.web.multipart.commons.CommonsMultipartResolver$1 (Extension)
- org.springframework.web.multipart.commons.CommonsMultipartResolver (Extension)
- org.apache.commons.fileupload.FileUploadBase (Extension)
-> ❌ org.apache.commons.fileupload.FileUploadBase$UnknownSizeException (Vulnerable Component)
Vulnerability Details
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
Publish Date: Oct 25, 2016 02:00 PM
URL: CVE-2016-1000031
Threat Assessment
Exploit Maturity:Not Defined
EPSS:24.2%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-7x9j-7223-rg5m
Release Date: Oct 25, 2016 02:00 PM
Fix Resolution : commons-fileupload:commons-fileupload:1.3.3
🔴CVE-2023-24998
Vulnerable Library - commons-fileupload-1.3.2.jar
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Library home page: http://www.apache.org/
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.2/commons-fileupload-1.3.2.jar
Dependency Hierarchy:
- ❌ commons-fileupload-1.3.2.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- com.veracode.verademo.controller.UserController (Application)
- org.springframework.web.multipart.commons.CommonsMultipartResolver$1 (Extension)
- org.springframework.web.multipart.commons.CommonsMultipartResolver (Extension)
-> ❌ org.apache.commons.fileupload.FileUploadBase (Vulnerable Component)
Vulnerability Details
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.
Publish Date: Feb 20, 2023 03:57 PM
URL: CVE-2023-24998
Threat Assessment
Exploit Maturity:Not Defined
EPSS:37.7%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-hfrx-6qgj-fp6c
Release Date: Feb 20, 2023 03:57 PM
Fix Resolution : commons-fileupload:commons-fileupload:1.5,org.apache.tomcat.embed:tomcat-embed-core:9.0.71,org.apache.tomcat:tomcat-coyote:11.0.0-M5,org.apache.tomcat.embed:tomcat-embed-core:10.1.5,org.apache.tomcat.embed:tomcat-embed-core:11.0.0-M5,org.apache.tomcat.embed:tomcat-embed-core:8.5.88,org.apache.tomcat:tomcat-coyote:8.5.88,org.apache.tomcat:tomcat-coyote:10.1.5,org.apache.tomcat:tomcat-coyote:9.0.71
🔴WS-2014-0034
Vulnerable Library - commons-fileupload-1.3.2.jar
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Library home page: http://www.apache.org/
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.2/commons-fileupload-1.3.2.jar
Dependency Hierarchy:
- ❌ commons-fileupload-1.3.2.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- com.veracode.verademo.controller.UserController (Application)
- org.springframework.web.multipart.commons.CommonsMultipartResolver$1 (Extension)
- org.springframework.web.multipart.commons.CommonsMultipartResolver (Extension)
-> ❌ org.apache.commons.fileupload.FileUploadBase (Vulnerable Component)
Vulnerability Details
The class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception.
Publish Date: Feb 17, 2014 12:13 AM
URL: WS-2014-0034
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: apache/commons-fileupload@5b4881d
Release Date: Feb 17, 2014 12:13 AM
Fix Resolution : commons-fileupload:commons-fileupload:1.4
🟠CVE-2021-29425
Vulnerable Library - commons-io-2.4.jar
The Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
Library home page: http://www.apache.org/
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.4/commons-io-2.4.jar
Dependency Hierarchy:
- commons-fileupload-1.3.2.jar (Root Library)
- ❌ commons-io-2.4.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- com.veracode.verademo.controller.UserController (Application)
- org.springframework.web.multipart.commons.CommonsMultipartResolver$1 (Extension)
- org.springframework.web.multipart.commons.CommonsMultipartResolver (Extension)
- org.apache.commons.fileupload.disk.DiskFileItemFactory (Extension)
- org.apache.commons.io.FileCleaningTracker (Extension)
- org.apache.commons.io.FileDeleteStrategy (Extension)
- org.apache.commons.io.FileDeleteStrategy$ForceFileDeleteStrategy (Extension)
- org.apache.commons.io.FileUtils (Extension)
-> ❌ org.apache.commons.io.FilenameUtils (Vulnerable Component)
Vulnerability Details
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Publish Date: Apr 13, 2021 06:50 AM
URL: CVE-2021-29425
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-gwrp-pvrq-jmwv
Release Date: Apr 13, 2021 06:50 AM
Fix Resolution : org.checkerframework.annotatedlib:commons-io:2.7,commons-io:commons-io:2.7
📂 Vulnerable Library - commons-fileupload-1.3.2.jar
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Library home page: http://www.apache.org/
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.2/commons-fileupload-1.3.2.jar
Findings
Details
🟣CVE-2016-1000031
Vulnerable Library - commons-fileupload-1.3.2.jar
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Library home page: http://www.apache.org/
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.2/commons-fileupload-1.3.2.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
Publish Date: Oct 25, 2016 02:00 PM
URL: CVE-2016-1000031
Threat Assessment
Exploit Maturity:Not Defined
EPSS:24.2%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-7x9j-7223-rg5m
Release Date: Oct 25, 2016 02:00 PM
Fix Resolution : commons-fileupload:commons-fileupload:1.3.3
🔴CVE-2023-24998
Vulnerable Library - commons-fileupload-1.3.2.jar
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Library home page: http://www.apache.org/
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.2/commons-fileupload-1.3.2.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.
Publish Date: Feb 20, 2023 03:57 PM
URL: CVE-2023-24998
Threat Assessment
Exploit Maturity:Not Defined
EPSS:37.7%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-hfrx-6qgj-fp6c
Release Date: Feb 20, 2023 03:57 PM
Fix Resolution : commons-fileupload:commons-fileupload:1.5,org.apache.tomcat.embed:tomcat-embed-core:9.0.71,org.apache.tomcat:tomcat-coyote:11.0.0-M5,org.apache.tomcat.embed:tomcat-embed-core:10.1.5,org.apache.tomcat.embed:tomcat-embed-core:11.0.0-M5,org.apache.tomcat.embed:tomcat-embed-core:8.5.88,org.apache.tomcat:tomcat-coyote:8.5.88,org.apache.tomcat:tomcat-coyote:10.1.5,org.apache.tomcat:tomcat-coyote:9.0.71
🔴WS-2014-0034
Vulnerable Library - commons-fileupload-1.3.2.jar
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Library home page: http://www.apache.org/
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.2/commons-fileupload-1.3.2.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
The class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception.
Publish Date: Feb 17, 2014 12:13 AM
URL: WS-2014-0034
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: apache/commons-fileupload@5b4881d
Release Date: Feb 17, 2014 12:13 AM
Fix Resolution : commons-fileupload:commons-fileupload:1.4
🟠CVE-2021-29425
Vulnerable Library - commons-io-2.4.jar
The Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
Library home page: http://www.apache.org/
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.4/commons-io-2.4.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Publish Date: Apr 13, 2021 06:50 AM
URL: CVE-2021-29425
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-gwrp-pvrq-jmwv
Release Date: Apr 13, 2021 06:50 AM
Fix Resolution : org.checkerframework.annotatedlib:commons-io:2.7,commons-io:commons-io:2.7