commons fileupload dependency needs to be updated - affected to CVE-2014-0050

XMLWordPrintable

    • Type: New Feature
    • Resolution: Unresolved
    • Priority: Normal
    • None
    • Affects Version/s: 8.0.0, 7.0.6.1
    • Component/s: Container
    • None
    • None

      Hi,

      during our internal review we descovered that the pom.xml in "zcommon" package has a reference to commons-fileupload 1.2.2, which is affected by CVE-2014-0050:

      http://www.cvedetails.com/cve/2014-0050
      MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.

      Please update to commons-fileupload 1.3.1 or later.

      Thanks & Bye,
      Chris

            Assignee:
            Unassigned
            Reporter:
            christian
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: