CVE-2023-24998: 
Java vulnerability analysis and mitigation

Apache Commons FileUpload before version 1.5, as used in Apache Tomcat, contains a vulnerability identified as CVE-2023-24998. The vulnerability was discovered in February 2023 and affects the file upload functionality where the system does not limit the number of request parts to be processed. This vulnerability impacts Apache Tomcat versions before 8.5.88, 9.0.74, and 10.1.8, which use a packaged renamed copy of Apache Commons FileUpload to provide file upload functionality defined in the Jakarta Servlet specification (NVD, Debian Security).

The vulnerability stems from the absence of limits on the number of request parts that can be processed during file uploads. The new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured. The vulnerability has been assigned a CVSS score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NetApp Security).

When exploited, this vulnerability could allow an attacker to trigger a Denial of Service (DoS) condition through a malicious upload or series of uploads. Since there is no limit to the number of request parts processed, an attacker could prevent other systems, applications, or processes from accessing the same type of resource (Debian Security).

The primary mitigation is to upgrade to patched versions: Apache Tomcat 8.5.88 or later, 9.0.74 or later, or 10.1.8 or later. For the Commons FileUpload component, upgrading to version 1.5 or later is recommended. Additionally, administrators should explicitly configure the FileUploadBase#setFileCountMax option to limit the number of request parts that can be processed (Gentoo Security).