Remote Code Execution Vulnerability in Apache Commons FileUpload for Struts
CVE-2016-1000031

9.8CRITICAL

Key Information:

Vendor
Apache
Status
Commons Fileupload
Vendor
CVE Published:
25 October 2016

Summary

A vulnerability exists in the Apache Commons FileUpload component prior to version 1.3.3, where improper validation in the DiskFileItem class allows malicious users to execute arbitrary code on the host system. This occurs through crafted file uploads, which can enable an attacker to manipulate the file handling process and gain unauthorized access to system resources. Implementing necessary security upgrades is crucial to mitigate potential risks associated with this vulnerability.

References

http://www.securityfocus.com/bid/93604
vdb-entryx_refsource_BID
https://lists.apache.org/thread.html/d66657323fd25e437fac...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/708d94141126eac03011...
mailing-listx_refsource_MLIST

EPSS Score

48% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.