CVE: 2016-1000031 found in Apache Commons FileUpload - Version: 1.3.2 [JAVA]

Veracode Software Composition Analysis  
===============================
  
 Attribute | Details  
| --- | --- |  
Library | Apache Commons FileUpload  
Description | The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.  
Language | JAVA  
Vulnerability | Remote Code Execution Via Serialization  
Vulnerability description | Apache Commons FileUpload is vulnerable to remote code execution via serialization. In Apache Commons FileUpload, a DiskFileItem is used to handle file uploads. DiskFileItem is serializable and implements custom writeObject() and readObject() functions. An attacker is possible to modify the serialized data before it is deserialized, and write or copy files to disk in arbitrary locations. Furthermore, it's possible for an attacker to integrate this vulnerability with the ysoserial tool to upload and execute binaries in a single deserialization call.  
CVE | 2016-1000031  
CVSS score | 7.5  
Vulnerability present in version/s | 1.1-1.3.2  
Found library version/s | 1.3.2  
Vulnerability fixed in version | 1.3.3  
Library latest version | 1.4  
Fix | Please apply the fix patch to your code.  
  
Links:  
- https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/115?version=1.3.2  
- https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/2911  
- Patch: 

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CVE: 2016-1000031 found in Apache Commons FileUpload - Version: 1.3.2 [JAVA] #845

Veracode Software Composition Analysis

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Attribute	Details
Library	Apache Commons FileUpload
Description	The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Language	JAVA
Vulnerability	Remote Code Execution Via Serialization
Vulnerability description	Apache Commons FileUpload is vulnerable to remote code execution via serialization. In Apache Commons FileUpload, a DiskFileItem is used to handle file uploads. DiskFileItem is serializable and implements custom writeObject() and readObject() functions. An attacker is possible to modify the serialized data before it is deserialized, and write or copy files to disk in arbitrary locations. Furthermore, it's possible for an attacker to integrate this vulnerability with the ysoserial tool to upload and execute binaries in a single deserialization call.
CVE	2016-1000031
CVSS score	7.5
Vulnerability present in version/s	1.1-1.3.2
Found library version/s	1.3.2
Vulnerability fixed in version	1.3.3
Library latest version	1.4
Fix	Please apply the fix patch to your code.

CVE: 2016-1000031 found in Apache Commons FileUpload - Version: 1.3.2 [JAVA] #845

Description

Veracode Software Composition Analysis

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions