VulnerableCode Package Details - pkg:maven/commons-fileupload/commons-fileupload@1-alpha0

Search for packages

Vulnerability	Summary	Fixed by
VCID-hysp-vpze-aaaa Aliases: CVE-2013-0248 GHSA-vm69-474v-7q2w	/tmp directory used by default for uploaded files The default configuration of `javax.servlet.context.tempdir` in this package uses the `/tmp` directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.	1.2.2 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.3 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-yqy8-6qrt-aaaa Aliases: CVE-2013-2186 GHSA-qx6h-9567-5fqw	Arbitrary file upload via deserialization The DiskFileItem class in this package allows remote attackers to write to arbitrary files via a `NULL` byte in a file name in a serialized instance.	1.3.1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-hysp-vpze-aaaa
Aliases:
CVE-2013-0248
GHSA-vm69-474v-7q2w

/tmp directory used by default for uploaded files The default configuration of `javax.servlet.context.tempdir` in this package uses the `/tmp` directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.

1.2.2
Affected by 6 other vulnerabilities.

1.3
Affected by 5 other vulnerabilities.

VCID-yqy8-6qrt-aaaa
Aliases:
CVE-2013-2186
GHSA-qx6h-9567-5fqw

Arbitrary file upload via deserialization The DiskFileItem class in this package allows remote attackers to write to arbitrary files via a `NULL` byte in a file name in a serialized instance.

1.3.1
Affected by 3 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2024-09-17T22:40:39.646113+00:00	GitLab Importer	Affected by	VCID-yqy8-6qrt-aaaa	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/commons-fileupload/commons-fileupload/CVE-2013-2186.yml	34.0.1
2024-09-17T22:40:39.494506+00:00	GitLab Importer	Affected by	VCID-hysp-vpze-aaaa	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/commons-fileupload/commons-fileupload/CVE-2013-0248.yml	34.0.1
2024-01-03T18:03:03.551373+00:00	GitLab Importer	Affected by	VCID-yqy8-6qrt-aaaa	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/commons-fileupload/commons-fileupload/CVE-2013-2186.yml	34.0.0rc1
2024-01-03T18:03:03.413894+00:00	GitLab Importer	Affected by	VCID-hysp-vpze-aaaa	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/commons-fileupload/commons-fileupload/CVE-2013-0248.yml	34.0.0rc1