Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

ghsa-7c2q-5qmr-v76q
Back to All
CVE

GHSA-7c2q-5qmr-v76q

DoS vulnerabilities persist in ESAPI file uploads despite remediation of CVE-2023-24998

Description

Impact

ESAPI 2.5.2.0 and later addressed  the DoS vulnerability described in CVE-2023-24998, which Apache Commons FileUpload 1.5 attempted to remediate. But while writing up a new security bulletin regarding the impact on the affected ESAPI HTTPUtilities.getFileUploads methods (or more specifically those methods in the DefaultHTTPUtilities implementation class), I realized that a DoS vulnerability still persists in ESAPI and for that matter in Apache Commons FileUpload as well.

Related to

CVE-2023-24998

Patches

ESAPI 2.5.2.0 or later.

Workarounds

  • See the 'Solutions' section of Security Bulletin 11, in the References section. If you are not using ESAPI file uploads, see also the 'Workarounds' section.
  • Deploy an external WAF or other suitable DoS protection.
  • Add additional defenses to your code using HTTPUtilities.getFileUpload, such as requiring prior authentication, restricting how many / much content can be uploaded per user per day or per hour, etc. (It is the opinion of the ESAPI development team that such required controls should not be added to ESAPI because it is a general purpose security library and thus ESAPI ought not be enforcing generic policies like these on everyone, especially it it could break existing code bases.)

References

Security Bulletin 11: How Does CVE-2023-24998 Impact ESAPI?

New ESAPI 2.5.2.0  or later Javadoc on HTTPUtilities.getFileUploads: https://javadoc.io/static/org.owasp.esapi/esapi/2.5.2.0/org/owasp/esapi/HTTPUtilities.html#getFileUploads-javax.servlet.http.HttpServletRequest-java.io.File-java.util.List-

(Note: This link won't work until the 2.5.2.0 release is made official.)

Final Word

(Especially to GitHub Advance Security team / GitHub as a CNA) -- I do not really wish to file a CVE for this. I had originally considered it, but there is no real way to address the general DoS scenarios for file uploads without breaking ESAPI client code which we are not willing to do. The clients have to take some responsibility for this themselves. In the next ESAPI release, I am going to add a reference to the appropriate Javadoc to this GitHub Security Advisory, but that's the best we can do. If you wish to discuss this with me, please first contact me via email at kevin.w.wall@gmail.com. 

Base CVSS

7.5

EPSS Score

0%

Introduced Version

2.0_rc10

Fix Available

2.5.2.0

Available Patches

Package
CVEs Fixed
Lines of Code Changed
Package Name
org.owasp.esapi:esapi
2.2.3.1
CVES Fixed
C
1
H
1
M
0
L
0
Code Changed
+1176
-327

References

https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-7c2q-5qmr-v76q
https://github.com/ESAPI/esapi-java-legacy

AppSec for the Software Development Revolution

Endor Labs builds a complete graph of your software estate, so teams can pinpoint and fix critical risks in complex, dependency-rich code—whether it was written by humans or AI.

Welcome to the resistance
Oops! Something went wrong, please try again.
brightness-increase
moon-01