Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-2954

commons fileupload dependency needs to be updated - affected to CVE-2014-0050

XMLWordPrintable

    • Icon: New Feature New Feature
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 8.0.0, 7.0.6.1
    • Container
    • None

      Hi,

      during our internal review we descovered that the pom.xml in "zcommon" package has a reference to commons-fileupload 1.2.2, which is affected by CVE-2014-0050:

      http://www.cvedetails.com/cve/2014-0050
      MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.

      Please update to commons-fileupload 1.3.1 or later.

      Thanks & Bye,
      Chris

            Unassigned Unassigned
            christian christian
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: