DescriptionApache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libcommons-fileupload-java (PTS)wheezy1.2.2-1+deb7u2vulnerable
wheezy (security)1.2.2-1+deb7u3vulnerable
jessie (security), jessie1.3.1-1+deb8u1vulnerable
buster, sid1.3.3-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Marked as unimportant since even though the CVE is assigned for Apache Commons FileUpload
Apache say that issue needs to be fixed in any vendor/product using Apache Commons FileUpload
DiskFileItem as described in the given advisory.
Thus we are not going to diverge from Apache upstream here.

Search for package or bug name: Reporting problems