VulnerableCode Package Details - pkg:deb/debian/libcommons-fileupload-java@1.4-2?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
VCID-2x6a-3gh1-rkhs Aliases: CVE-2025-48976 GHSA-vv7r-c36w-3prj	Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-2x6a-3gh1-rkhs
Aliases:
CVE-2025-48976
GHSA-vv7r-c36w-3prj

Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
VCID-56jv-htmt-rkew	Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.	CVE-2023-24998 GHSA-hfrx-6qgj-fp6c
VCID-gv12-4ruf-kfhq	MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.	CVE-2014-0050 GHSA-xx68-jfcg-xmmf
VCID-jc2q-ht2b-cfhx	The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.	CVE-2013-2186 GHSA-qx6h-9567-5fqw
VCID-kqjy-kvpx-kub8	/tmp directory used by default for uploaded files The default configuration of `javax.servlet.context.tempdir` in this package uses the `/tmp` directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.	CVE-2013-0248 GHSA-vm69-474v-7q2w
VCID-pqxe-tfhk-47b7	The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.	CVE-2016-3092 GHSA-fvm3-cfvj-gxqq

Vulnerability

Summary

Aliases

VCID-56jv-htmt-rkew

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

CVE-2023-24998
GHSA-hfrx-6qgj-fp6c

VCID-gv12-4ruf-kfhq

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.

CVE-2014-0050
GHSA-xx68-jfcg-xmmf

VCID-jc2q-ht2b-cfhx

The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.

CVE-2013-2186
GHSA-qx6h-9567-5fqw

VCID-kqjy-kvpx-kub8

/tmp directory used by default for uploaded files The default configuration of `javax.servlet.context.tempdir` in this package uses the `/tmp` directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.

CVE-2013-0248
GHSA-vm69-474v-7q2w

VCID-pqxe-tfhk-47b7

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

CVE-2016-3092
GHSA-fvm3-cfvj-gxqq

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T11:49:26.081404+00:00	Debian Importer	Fixing	VCID-56jv-htmt-rkew	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:02:00.772972+00:00	Debian Importer	Fixing	VCID-pqxe-tfhk-47b7	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:33:25.577842+00:00	Debian Importer	Fixing	VCID-jc2q-ht2b-cfhx	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:13:01.387811+00:00	Debian Importer	Fixing	VCID-gv12-4ruf-kfhq	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:07:18.039548+00:00	Debian Importer	Fixing	VCID-kqjy-kvpx-kub8	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T08:04:05.629912+00:00	Debian Importer	Fixing	VCID-56jv-htmt-rkew	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:29:26.527539+00:00	Debian Importer	Fixing	VCID-pqxe-tfhk-47b7	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:22:12.070534+00:00	Debian Importer	Fixing	VCID-jc2q-ht2b-cfhx	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:09:58.738119+00:00	Debian Importer	Fixing	VCID-gv12-4ruf-kfhq	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:06:38.383693+00:00	Debian Importer	Fixing	VCID-kqjy-kvpx-kub8	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:28:34.931811+00:00	Debian Importer	Affected by	VCID-2x6a-3gh1-rkhs	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:28:34.888769+00:00	Debian Importer	Fixing	VCID-56jv-htmt-rkew	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:28:34.848853+00:00	Debian Importer	Fixing	VCID-pqxe-tfhk-47b7	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:28:34.803712+00:00	Debian Importer	Fixing	VCID-gv12-4ruf-kfhq	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:28:34.764951+00:00	Debian Importer	Fixing	VCID-jc2q-ht2b-cfhx	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:28:34.724470+00:00	Debian Importer	Fixing	VCID-kqjy-kvpx-kub8	https://security-tracker.debian.org/tracker/data/json	38.1.0