High severityNVD Advisory· Published Feb 20, 2023· Updated Nov 3, 2025
Apache Commons FileUpload, Apache Tomcat: FileUpload DoS with excessive parts
CVE-2023-24998
Description
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
commons-fileupload:commons-fileuploadMaven | < 1.5 | 1.5 |
org.apache.tomcat:tomcat-coyoteMaven | >= 10.1.0-M1, < 10.1.5 | 10.1.5 |
org.apache.tomcat:tomcat-coyoteMaven | >= 11.0.0-M2, < 11.0.0-M5 | 11.0.0-M5 |
org.apache.tomcat:tomcat-coyoteMaven | >= 8.5.85, < 8.5.88 | 8.5.88 |
org.apache.tomcat:tomcat-coyoteMaven | >= 9.0.0-M1, < 9.0.71 | 9.0.71 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 10.1.0-M1, < 10.1.5 | 10.1.5 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 11.0.0-M2, < 11.0.0-M5 | 11.0.0-M5 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 8.5.85, < 8.5.88 | 8.5.88 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 9.0.0-M1, < 9.0.71 | 9.0.71 |
org.apache.tomcat:tomcat-catalinaMaven | >= 10.1.0-M1, < 10.1.5 | 10.1.5 |
org.apache.tomcat:tomcat-catalinaMaven | >= 11.0.0-M2, < 11.0.0-M5 | 11.0.0-M5 |
org.apache.tomcat:tomcat-catalinaMaven | >= 8.5.85, < 8.5.88 | 8.5.88 |
org.apache.tomcat:tomcat-catalinaMaven | >= 9.0.0-M1, < 9.0.71 | 9.0.71 |
Affected products
75- osv-coords73 versionspkg:apk/chainguard/jenkinspkg:apk/chainguard/jenkins-compatpkg:apk/chainguard/jenkins-remotingpkg:apk/wolfi/jenkinspkg:apk/wolfi/jenkins-compatpkg:apk/wolfi/jenkins-remotingpkg:maven/commons-fileupload/commons-fileuploadpkg:maven/org.apache.tomcat.embed/tomcat-embed-corepkg:maven/org.apache.tomcat/tomcat-coyotepkg:rpm/almalinux/tomcatpkg:rpm/almalinux/tomcat-admin-webappspkg:rpm/almalinux/tomcat-docs-webapppkg:rpm/almalinux/tomcat-el-3.0-apipkg:rpm/almalinux/tomcat-jsp-2.3-apipkg:rpm/almalinux/tomcat-libpkg:rpm/almalinux/tomcat-servlet-4.0-apipkg:rpm/almalinux/tomcat-webappspkg:rpm/opensuse/apache-commons-fileupload&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/apache-commons-fileupload&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/apache-commons-fileupload&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/jakarta-commons-fileupload&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/apache-commons-fileupload&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/apache-commons-fileupload&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/apache-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/apache-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/apache-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/apache-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP4pkg:rpm/suse/apache-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP5pkg:rpm/suse/apache-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/apache-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/apache-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/apache-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/apache-commons-fileupload&distro=SUSE%20Manager%20Server%204.2pkg:rpm/suse/jakarta-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/jakarta-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/jakarta-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-ESPOSpkg:rpm/suse/jakarta-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/jakarta-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/jakarta-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/jakarta-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/jakarta-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/jakarta-commons-fileupload&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/jakarta-commons-fileupload&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/jakarta-commons-fileupload&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Manager%20Server%204.2pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 2.395-r0+ 72 more
- (no CPE)range: < 2.395-r0
- (no CPE)range: < 2.395-r0
- (no CPE)range: < 2.395-r0
- (no CPE)range: < 2.395-r0
- (no CPE)range: < 2.395-r0
- (no CPE)range: < 2.395-r0
- (no CPE)range: < 1.5
- (no CPE)range: >= 10.1.0-M1, < 10.1.5
- (no CPE)range: >= 10.1.0-M1, < 10.1.5
- (no CPE)range: < 1:9.0.62-37.el9_3
- (no CPE)range: < 1:9.0.62-37.el9_3
- (no CPE)range: < 1:9.0.62-37.el9_3
- (no CPE)range: < 1:9.0.62-37.el9_3
- (no CPE)range: < 1:9.0.62-37.el9_3
- (no CPE)range: < 1:9.0.62-37.el9_3
- (no CPE)range: < 1:9.0.62-37.el9_3
- (no CPE)range: < 1:9.0.62-37.el9_3
- (no CPE)range: < 1.5-150200.3.9.1
- (no CPE)range: < 1.5-150200.3.9.1
- (no CPE)range: < 1.5-1.1
- (no CPE)range: < 1.1.1-150000.4.8.1
- (no CPE)range: < 10.1.14-1.1
- (no CPE)range: < 9.0.43-150200.35.1
- (no CPE)range: < 9.0.75-150200.41.1
- (no CPE)range: < 9.0.43-14.1
- (no CPE)range: < 1.5-150200.3.9.1
- (no CPE)range: < 1.5-150200.3.9.1
- (no CPE)range: < 1.5-150200.3.9.1
- (no CPE)range: < 1.5-150200.3.9.1
- (no CPE)range: < 1.5-150200.3.9.1
- (no CPE)range: < 1.5-150200.3.9.1
- (no CPE)range: < 1.5-150200.3.9.1
- (no CPE)range: < 1.5-150200.3.9.1
- (no CPE)range: < 1.5-150200.3.9.1
- (no CPE)range: < 1.5-150200.3.9.1
- (no CPE)range: < 1.5-150200.3.9.1
- (no CPE)range: < 1.5-150200.3.9.1
- (no CPE)range: < 1.1.1-150000.4.8.1
- (no CPE)range: < 1.1.1-122.8.1
- (no CPE)range: < 1.1.1-122.8.1
- (no CPE)range: < 1.1.1-122.8.1
- (no CPE)range: < 1.1.1-122.8.1
- (no CPE)range: < 1.1.1-150000.4.8.1
- (no CPE)range: < 1.1.1-122.8.1
- (no CPE)range: < 1.1.1-122.8.1
- (no CPE)range: < 1.1.1-150000.4.8.1
- (no CPE)range: < 1.1.1-122.8.1
- (no CPE)range: < 1.1.1-122.8.1
- (no CPE)range: < 9.0.43-150200.35.1
- (no CPE)range: < 9.0.43-150200.35.1
- (no CPE)range: < 9.0.36-150100.4.87.1
- (no CPE)range: < 9.0.43-150200.35.1
- (no CPE)range: < 9.0.43-150200.35.1
- (no CPE)range: < 9.0.43-150200.35.1
- (no CPE)range: < 9.0.43-150200.35.1
- (no CPE)range: < 9.0.75-150200.41.1
- (no CPE)range: < 8.0.53-29.63.1
- (no CPE)range: < 9.0.36-3.99.1
- (no CPE)range: < 9.0.36-3.99.1
- (no CPE)range: < 9.0.36-3.99.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.36-150100.4.87.1
- (no CPE)range: < 9.0.43-150200.35.1
- (no CPE)range: < 9.0.43-150200.35.1
- (no CPE)range: < 9.0.36-3.99.1
- (no CPE)range: < 9.0.36-3.99.1
- (no CPE)range: < 9.0.36-150100.4.87.1
- (no CPE)range: < 9.0.43-150200.35.1
- (no CPE)range: < 9.0.43-150200.35.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.43-150200.35.1
- (no CPE)range: < 9.0.36-3.99.1
- (no CPE)range: < 9.0.36-3.99.1
- Range: 0
- Apache Software Foundation/Apache Tomcatv5Range: 11.0.0-M1
Patches
Vulnerability mechanics
References
20- github.com/advisories/GHSA-hfrx-6qgj-fp6cghsaADVISORY
- lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoyghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-24998ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/05/22/1ghsaWEB
- commons.apache.org/proper/commons-fileupload/security-reports.htmlghsaWEB
- github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17ghsaWEB
- github.com/apache/tomcat/commit/8a2285f13affa961cc65595aad999db5efae45ceghsaWEB
- github.com/apache/tomcat/commit/9ca96c8c1eba86c0aaa2e6be581ba2a7d4d4ae6eghsaWEB
- github.com/apache/tomcat/commit/cf77cc545de0488fb89e24294151504a7432df74ghsaWEB
- github.com/apache/tomcat/commit/d53d8e7f77042cc32a3b98f589496a1ef5088e38ghsaWEB
- lists.debian.org/debian-lts-announce/2023/10/msg00020.htmlghsaWEB
- lists.debian.org/debian-lts-announce/2025/07/msg00008.htmlghsaWEB
- security.gentoo.org/glsa/202305-37ghsaWEB
- security.netapp.com/advisory/ntap-20230302-0013ghsaWEB
- security.netapp.com/advisory/ntap-20241108-0002ghsaWEB
- tomcat.apache.org/security-10.htmlghsaWEB
- tomcat.apache.org/security-11.htmlghsaWEB
- tomcat.apache.org/security-8.htmlghsaWEB
- tomcat.apache.org/security-9.htmlghsaWEB
- www.debian.org/security/2023/dsa-5522ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-03-08Jenkins Security Advisories · Mar 8, 2023