Details
-
Dependency upgrade
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
5.3.5, 5.3.6, 5.3.7, 5.4, 5.2.0
Description
Just found that commons-file-upload < 1.3.1 has a bug that can create a DOS attack .
For more information, see
http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html
I do believe commons-file-upload 1.2.2 it's been used in tapestry-upload since version 5.2 at least, or even older.
So recommended option is to update dependency to commons-file-upload-1.3.1.jar