Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-2954

commons fileupload dependency needs to be updated - affected to CVE-2014-0050

    Details

    • Type: New Feature
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: 8.0.0, 7.0.6.1
    • Fix Version/s: None
    • Component/s: Container
    • Labels:
      None

      Description

      Hi,

      during our internal review we descovered that the pom.xml in "zcommon" package has a reference to commons-fileupload 1.2.2, which is affected by CVE-2014-0050:

      http://www.cvedetails.com/cve/2014-0050
      MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.

      Please update to commons-fileupload 1.3.1 or later.

      Thanks & Bye,
      Chris

        Activity

        There are no comments yet on this issue.

          People

          • Assignee:
            Unassigned
            Reporter:
            christian christian
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated: