DescriptionApache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libcommons-fileupload-java (PTS)buster1.3.3-1vulnerable
sid, trixie1.5-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Marked as unimportant since even though the CVE is assigned for Apache Commons FileUpload
Apache say that issue needs to be fixed in any vendor/product using Apache Commons FileUpload
DiskFileItem as described in the given advisory.
Thus we are not going to diverge from Apache upstream here.

Search for package or bug name: Reporting problems