CVE: 2016-1000031 found in Apache Commons FileUpload - Version: 1.3.2 [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	Apache Commons FileUpload
Description	The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Language	JAVA
Vulnerability	Remote Code Execution Via Serialization
Vulnerability description	Apache Commons FileUpload is vulnerable to remote code execution via serialization. In Apache Commons FileUpload, a DiskFileItem is used to handle file uploads. DiskFileItem is serializable and implements custom writeObject() and readObject() functions. An attacker is possible to modify the serialized data before it is deserialized, and write or copy files to disk in arbitrary locations. Furthermore, it's possible for an attacker to integrate this vulnerability with the ysoserial tool to upload and execute binaries in a single deserialization call.
CVE	2016-1000031
CVSS score	7.5
Vulnerability present in version/s	1.1-1.3.2
Found library version/s	1.3.2
Vulnerability fixed in version	1.3.3
Library latest version	1.4
Fix	Please apply the fix patch to your code.

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/115?version=1.3.2
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/2911
• Patch:

[github-actions[bot]]

Veracode issue link to PR: https://github.com/julz0815/test-action/pull/184