CVE-2023-24998 - Denial of Service (DoS)

Severity: High2023-04-06

Security Advisories


Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

The Oxygen products incorporate Apache Commons FileUpload as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen XML Web Author v25.0.0.3 and olderHigh Oxygen XML Web Author 25.1 build 2023031320





Severity: High

CVSS Score: 7.5

The Apache Commons FileUpload third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-24998 vulnerability description.

Starting with Oxygen XML Web Author v25.1 build 2023031320 Apache Tomcat library was updated to v9.0.73 which fixes this vulnerability.

List of Security Advisories