High severityNVD Advisory· Published Oct 28, 2013· Updated Apr 29, 2026

CVE-2013-2186

Description

The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
commons-fileupload:commons-fileuploadMaven	< 1.3.1	1.3.1

Affected products

Red Hat/Jboss Enterprise Brms Platform
cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.3.1:*:*:*:*:*:*:*
Red Hat/Jboss Enterprise Portal Platform3 versions
cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp07:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp07:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_portal_platform:6.0.0:*:*:*:*:*:*:*
Red Hat/Jboss Enterprise Web Server
cpe:2.3:a:redhat:jboss_enterprise_web_server:1.0.2:*:*:*:*:*:*:*
Red Hat/Openshift
cpe:2.3:a:redhat:openshift:*:*:*:*:enterprise:*:*:*
Range: <=3.1
Ubuntu/Ubuntu
cpe:2.3:o:ubuntu:ubuntu:10.04:*:lts:*:*:*:*:*

Patches

163a6061fbc0

When deserializing DiskFileItems ensure that the repository location, if any, is a valid one.

https://github.com/apache/commons-fileuploadMark ThomasJul 25, 2013via ghsa

commit

3 files changed · +126 −38

src/changes/changes.xml+7 −0 modified

@@ -43,6 +43,13 @@ The <action> type attribute can be add,update,fix,remove.
   </properties>
 
   <body>
+    <release version="1.3.1" description="maintenance release" date="TBD">
+      <action dev="markt" type="fix" due-to="Arun Babu Neelicattu" due-to-email="abn@redhat.com">
+        When deserializing DiskFileItems ensure that the repository location, if
+        any, is a valid one.
+      </action>
+    </release>
+    
     <release version="1.3" description="maintenance release, JDK1.5 update" date="2013-03-27">
       <!-- important notes -->
       <action dev="markt" type="fix">

src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java+20 −0 modified

@@ -656,6 +656,26 @@ private void readObject(ObjectInputStream in)
         // read values
         in.defaultReadObject();
 
+        /* One expected use of serialization is to migrate HTTP sessions
+         * containing a DiskFileItem between JVMs. Particularly if the JVMs are
+         * on different machines It is possible that the repository location is
+         * not valid so validate it.
+         */
+        if (repository != null) {
+            if (repository.isDirectory()) {
+                // Check path for nulls
+                if (repository.getPath().contains("\0")) {
+                    throw new IOException(format(
+                            "The repository [%s] contains a null character",
+                            repository.getPath()));
+                }
+            } else {
+                throw new IOException(format(
+                        "The repository [%s] is not a directory",
+                        repository.getAbsolutePath()));
+            }
+        }
+
         OutputStream output = getOutputStream();
         if (cachedContent != null) {
             output.write(cachedContent);

src/test/java/org/apache/commons/fileupload/DiskFileItemSerializeTest.java+99 −38 modified

@@ -24,6 +24,7 @@
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
+import java.io.File;
 import java.io.IOException;
 import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
@@ -51,14 +52,10 @@ public class DiskFileItemSerializeTest {
     private static final int threshold = 16;
 
     /**
-     * Test creation of a field for which the amount of data falls below the
-     * configured threshold.
+     * Helper method to test creation of a field when a repository is used.
      */
-    @Test
-    public void testBelowThreshold() throws Exception {
-        // Create the FileItem
-        byte[] testFieldValueBytes = createContentBytes(threshold - 1);
-        FileItem item = createFileItem(testFieldValueBytes);
+    public void testInMemoryObject(byte[] testFieldValueBytes, File repository) {
+        FileItem item = createFileItem(testFieldValueBytes, repository);
 
         // Check state is as expected
         assertTrue("Initial: in memory", item.isInMemory());
@@ -75,6 +72,24 @@ public void testBelowThreshold() throws Exception {
         // Compare FileItem's (except byte[])
         compareFileItems(item, newItem);
     }
+    
+    /**
+     * Helper method to test creation of a field.
+     */
+    private void testInMemoryObject(byte[] testFieldValueBytes) {
+        testInMemoryObject(testFieldValueBytes, null);
+    }
+    
+    /**
+     * Test creation of a field for which the amount of data falls below the
+     * configured threshold.
+     */
+    @Test
+    public void testBelowThreshold() throws Exception {
+        // Create the FileItem
+        byte[] testFieldValueBytes = createContentBytes(threshold - 1);
+        testInMemoryObject(testFieldValueBytes);
+    }
 
     /**
      * Test creation of a field for which the amount of data equals the
@@ -84,23 +99,7 @@ public void testBelowThreshold() throws Exception {
     public void testThreshold() throws Exception {
         // Create the FileItem
         byte[] testFieldValueBytes = createContentBytes(threshold);
-        FileItem item = createFileItem(testFieldValueBytes);
-
-        // Check state is as expected
-        assertTrue("Initial: in memory", item.isInMemory());
-        assertEquals("Initial: size", item.getSize(), testFieldValueBytes.length);
-        compareBytes("Initial", item.get(), testFieldValueBytes);
-
-
-        // Serialize & Deserialize
-        FileItem newItem = (FileItem)serializeDeserialize(item);
-
-        // Test deserialized content is as expected
-        assertTrue("Check in memory", newItem.isInMemory());
-        compareBytes("Check", testFieldValueBytes, newItem.get());
-
-        // Compare FileItem's (except byte[])
-        compareFileItems(item, newItem);
+        testInMemoryObject(testFieldValueBytes);
     }
 
     /**
@@ -128,6 +127,41 @@ public void testAboveThreshold() throws Exception {
         // Compare FileItem's (except byte[])
         compareFileItems(item, newItem);
     }
+    
+    /**
+     * Test serialization and deserialization when repository is not null.
+     */
+    @Test
+    public void testValidRepository() throws Exception {
+        // Create the FileItem
+        byte[] testFieldValueBytes = createContentBytes(threshold);
+        File repository = new File(System.getProperty("java.io.tmpdir"));
+        testInMemoryObject(testFieldValueBytes, repository);
+    }
+    
+    /**
+     * Test deserialization fails when repository is not valid.
+     */
+    @Test(expected=IOException.class)
+    public void testInvalidRepository() throws Exception {
+        // Create the FileItem
+        byte[] testFieldValueBytes = createContentBytes(threshold);
+        File repository = new File(System.getProperty("java.io.tmpdir") + "file");
+        FileItem item = createFileItem(testFieldValueBytes, repository);
+        deserialize(serialize(item));
+    }
+    
+    /**
+     * Test deserialization fails when repository contains a null character.
+     */
+    @Test(expected=IOException.class)
+    public void testInvalidRepositoryWithNullChar() throws Exception {
+        // Create the FileItem
+        byte[] testFieldValueBytes = createContentBytes(threshold);
+        File repository = new File(System.getProperty("java.io.tmpdir") + "\0");
+        FileItem item = createFileItem(testFieldValueBytes, repository);
+        deserialize(serialize(item));
+    }
 
     /**
      * Compare FileItem's (except the byte[] content)
@@ -169,10 +203,10 @@ private byte[] createContentBytes(int size) {
     }
 
     /**
-     * Create a FileItem with the specfied content bytes.
+     * Create a FileItem with the specfied content bytes and repository.
      */
-    private FileItem createFileItem(byte[] contentBytes) {
-        FileItemFactory factory = new DiskFileItemFactory(threshold, null);
+    private FileItem createFileItem(byte[] contentBytes, File repository) {
+        FileItemFactory factory = new DiskFileItemFactory(threshold, repository);
         String textFieldName = "textField";
 
         FileItem item = factory.createItem(
@@ -192,33 +226,60 @@ private FileItem createFileItem(byte[] contentBytes) {
         return item;
 
     }
+    
+    /**
+     * Create a FileItem with the specfied content bytes.
+     */
+    private FileItem createFileItem(byte[] contentBytes) {
+        return createFileItem(contentBytes, null);
+    }
+    
+    /**
+     * Do serialization
+     */
+    private ByteArrayOutputStream serialize(Object target) throws Exception {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        ObjectOutputStream oos = new ObjectOutputStream(baos);
+        oos.writeObject(target);
+        oos.flush();
+        oos.close();
+        return baos;
+    }
+    
+    /**
+     * Do deserialization
+     */
+    private Object deserialize(ByteArrayOutputStream baos) throws Exception {
+        Object result = null;
+        ByteArrayInputStream bais =
+                new ByteArrayInputStream(baos.toByteArray());
+        ObjectInputStream ois = new ObjectInputStream(bais);
+        result = ois.readObject();
+        bais.close();
 
+        return result;
+    }
+    
     /**
      * Do serialization and deserialization.
      */
     private Object serializeDeserialize(Object target) {
         // Serialize the test object
-        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        ByteArrayOutputStream baos = null;
         try {
-            ObjectOutputStream oos = new ObjectOutputStream(baos);
-            oos.writeObject(target);
-            oos.flush();
-            oos.close();
+            baos = serialize(target);
         } catch (Exception e) {
             fail("Exception during serialization: " + e);
         }
-
+        
         // Deserialize the test object
         Object result = null;
         try {
-            ByteArrayInputStream bais =
-                new ByteArrayInputStream(baos.toByteArray());
-            ObjectInputStream ois = new ObjectInputStream(bais);
-            result = ois.readObject();
-            bais.close();
+            result = deserialize(baos);
         } catch (Exception e) {
             fail("Exception during deserialization: " + e);
         }
+        
         return result;
     }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

rhn.redhat.com/errata/RHSA-2013-1428.htmlnvdVendor Advisory
rhn.redhat.com/errata/RHSA-2013-1429.htmlnvdVendor Advisory
rhn.redhat.com/errata/RHSA-2013-1430.htmlnvdVendor Advisory
rhn.redhat.com/errata/RHSA-2013-1448.htmlnvdVendor AdvisoryWEB
github.com/advisories/GHSA-qx6h-9567-5fqwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2013-2186ghsaADVISORY
lists.opensuse.org/opensuse-security-announce/2013-11/msg00008.htmlnvdWEB
lists.opensuse.org/opensuse-updates/2013-10/msg00033.htmlnvdWEB
lists.opensuse.org/opensuse-updates/2013-10/msg00050.htmlnvdWEB
ubuntu.com/usn/usn-2029-1nvdWEB
www.debian.org/security/2013/dsa-2827nvdWEB
www.securityfocus.com/bid/63174nvdWEB
access.redhat.com/errata/RHSA-2016:0070nvdWEB
exchange.xforce.ibmcloud.com/vulnerabilities/88133nvdWEB
github.com/apache/commons-fileupload/blob/master/RELEASE-NOTES.txtghsaWEB
github.com/apache/commons-fileupload/commit/163a6061fbc077d4b6e4787d26857c2baba495d1ghsaWEB
wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01nvdWEB
www.tenable.com/security/research/tra-2016-23nvdWEB
rhn.redhat.com/errata/RHSA-2013-1442.htmlnvd
secunia.com/advisories/55716nvd
www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlnvd
www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlnvd
www.oracle.com/technetwork/topics/security/cpujul2015-2367936.htmlnvd

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.070
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000