[TAP5-2295] Vulnerability in Tapestry-upload module due to commons-file-upload - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Dependency upgrade
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 5.3.5, 5.3.6, 5.3.7, 5.4, 5.2.0
Fix Version/s: 5.4, 5.3.8
Component/s: tapestry-upload
Labels:

Description

Just found that commons-file-upload < 1.3.1 has a bug that can create a DOS attack .

For more information, see
http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html

I do believe commons-file-upload 1.2.2 it's been used in tapestry-upload since version 5.2 at least, or even older.

So recommended option is to update dependency to commons-file-upload-1.3.1.jar

Attachments

Activity

People

Assignee:: Bob Harner

Reporter:: jose luis sanchez

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 28/Feb/14 09:16

Updated:: 03/Mar/14 16:11

Resolved:: 03/Mar/14 16:09