Uploaded image for project: 'Tapestry 5'
  1. Tapestry 5
  2. TAP5-2295

Vulnerability in Tapestry-upload module due to commons-file-upload

    Details

      Description

      Just found that commons-file-upload < 1.3.1 has a bug that can create a DOS attack .

      For more information, see
      http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html

      I do believe commons-file-upload 1.2.2 it's been used in tapestry-upload since version 5.2 at least, or even older.

      So recommended option is to update dependency to commons-file-upload-1.3.1.jar

        Activity

        Hide
        jira-bot ASF subversion and git services added a comment -

        Commit 8834c7dbe170f141f042108a4f0b57fb0263beff in tapestry-5's branch refs/heads/5.3 from Bob Harner
        [ https://git-wip-us.apache.org/repos/asf?p=tapestry-5.git;h=8834c7d ]

        5.3 branch: Fixed TAP5-2295 (denial of service vulnerability due to
        commons-file-upload) by upgrading commons-file-upload from 1.2.2 to
        1.3.1, which also required upgrading commons-io from 2.0.1 to 2.2.

        Show
        jira-bot ASF subversion and git services added a comment - Commit 8834c7dbe170f141f042108a4f0b57fb0263beff in tapestry-5's branch refs/heads/5.3 from Bob Harner [ https://git-wip-us.apache.org/repos/asf?p=tapestry-5.git;h=8834c7d ] 5.3 branch: Fixed TAP5-2295 (denial of service vulnerability due to commons-file-upload) by upgrading commons-file-upload from 1.2.2 to 1.3.1, which also required upgrading commons-io from 2.0.1 to 2.2.
        Hide
        bobharner Bob Harner added a comment -

        Fixed in 5.4, but still need to do the same for 5.3.x.

        Note that we want to avoid commons-io version 2.4 for now because it requires JDK 1.6.

        Show
        bobharner Bob Harner added a comment - Fixed in 5.4, but still need to do the same for 5.3.x. Note that we want to avoid commons-io version 2.4 for now because it requires JDK 1.6.
        Hide
        jira-bot ASF subversion and git services added a comment -

        Commit 9dfe22e08556da76d7a35a79d599f4b9a527c4e1 in tapestry-5's branch refs/heads/master from Bob Harner
        [ https://git-wip-us.apache.org/repos/asf?p=tapestry-5.git;h=9dfe22e ]

        Fixed TAP5-2295 (denial of service vulnerability due to
        commons-file-upload) by upgrading commons-file-upload from 1.2.2 to
        1.3.1, which also required upgrading commons-io from 2.0.1 to 2.2.

        Show
        jira-bot ASF subversion and git services added a comment - Commit 9dfe22e08556da76d7a35a79d599f4b9a527c4e1 in tapestry-5's branch refs/heads/master from Bob Harner [ https://git-wip-us.apache.org/repos/asf?p=tapestry-5.git;h=9dfe22e ] Fixed TAP5-2295 (denial of service vulnerability due to commons-file-upload) by upgrading commons-file-upload from 1.2.2 to 1.3.1, which also required upgrading commons-io from 2.0.1 to 2.2.

          People

          • Assignee:
            bobharner Bob Harner
            Reporter:
            josetesan jose luis sanchez
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development