Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS03YzJxLTVxbXItdjc2cc4AA2we

DoS vulnerabilities persist in ESAPI file uploads despite remediation of CVE-2023-24998

Impact

ESAPI 2.5.2.0 and later addressed the DoS vulnerability described in CVE-2023-24998, which Apache Commons FileUpload 1.5 attempted to remediate. But while writing up a new security bulletin regarding the impact on the affected ESAPI HTTPUtilities.getFileUploads methods (or more specifically those methods in the DefaultHTTPUtilities implementation class), I realized that a DoS vulnerability still persists in ESAPI and for that matter in Apache Commons FileUpload as well.

Related to

CVE-2023-24998

Patches

ESAPI 2.5.2.0 or later.

Workarounds

References

Security Bulletin 11: How Does CVE-2023-24998 Impact ESAPI?
New ESAPI 2.5.2.0 or later Javadoc on HTTPUtilities.getFileUploads: https://javadoc.io/static/org.owasp.esapi/esapi/2.5.2.0/org/owasp/esapi/HTTPUtilities.html#getFileUploads-javax.servlet.http.HttpServletRequest-java.io.File-java.util.List-
(Note: This link won't work until the 2.5.2.0 release is made official.)

Final Word

(Especially to GitHub Advance Security team / GitHub as a CNA) -- I do not really wish to file a CVE for this. I had originally considered it, but there is no real way to address the general DoS scenarios for file uploads without breaking ESAPI client code which we are not willing to do. The clients have to take some responsibility for this themselves. In the next ESAPI release, I am going to add a reference to the appropriate Javadoc to this GitHub Security Advisory, but that's the best we can do. If you wish to discuss this with me, please first contact me via email at [email protected].

Permalink: https://github.com/advisories/GHSA-7c2q-5qmr-v76q
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03YzJxLTVxbXItdjc2cc4AA2we
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: 11 months ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-7c2q-5qmr-v76q
References: Repository: https://github.com/ESAPI/esapi-java-legacy
Blast Radius: 23.8

Affected Packages

maven:org.owasp.esapi:esapi
Dependent packages: 106
Dependent repositories: 1,483
Downloads:
Affected Version Ranges: < 2.5.2.0
Fixed in: 2.5.2.0
All affected versions:
All unaffected versions: 2.0.1, 2.1.0