search

tsaekao / verademo-java

The Veracode demo application. A simple Java Web App built using Spring MVC.
0 stars 0 forks source link

CVE: 2016-1000031 found in Apache Commons FileUpload - Version: 1.3.2 [JAVA] #3

Open github-actions[bot] opened 10 months ago

github-actions[bot] commented 10 months ago

Veracode Software Composition Analysis

Attribute Details
Library Apache Commons FileUpload
Description The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Language JAVA
Vulnerability Remote Code Execution Via Serialization
Vulnerability description Apache Commons FileUpload is vulnerable to remote code execution via serialization. In Apache Commons FileUpload, a DiskFileItem is used to handle file uploads. DiskFileItem is serializable and implements custom writeObject() and readObject() functions. An attacker is possible to modify the serialized data before it is deserialized, and write or copy files to disk in arbitrary locations. Furthermore, it's possible for an attacker to integrate this vulnerability with the ysoserial tool to upload and execute binaries in a single deserialization call.
CVE 2016-1000031
CVSS score 7.5
Vulnerability present in version/s 1.1-1.3.2
Found library version/s 1.3.2
Vulnerability fixed in version 1.3.3
Library latest version 1.5
Fix Please apply the fix patch to your code.

Links:

github-actions[bot] commented 10 months ago

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/2

github-actions[bot] commented 10 months ago

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/43