Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Impact of RCE vulnerability with Commons FileUpload (CVE-2017-5638) [SPR-15341] #19904

Closed
spring-projects-issues opened this issue Mar 10, 2017 · 1 comment
Assignees
Labels
in: web status: invalid

Comments

@spring-projects-issues
Copy link
Collaborator

@spring-projects-issues spring-projects-issues commented Mar 10, 2017

Mike Norman opened SPR-15341 and commented

CVE-2017-5638 describes a RCE exploit due to parse-bug for content-type
in the Jakarta Multipart parser.
I believe Spring Web's CommonsMultipartResolver is based upon the above code

A patch has been proposed at:

https://git-wip-us.apache.org/repos/asf?p=struts.git;a=commitdiff;h=6b8272ce47160036ed120a48345d9aa884477228

Should be looked at, n'est-ce pas?


Reference URL: rapid7/metasploit-framework#8064

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Mar 10, 2017

Juergen Hoeller commented

As far as I'm aware, the actual vulnerability is in rendering Commons FileUpload's multipart content-type exception within an executable expression environment like OGNL in Struts... and not in Commons FileUpload itself. As a consequence, there is no new release of the FileUpload library, just a patch in the error rendering code within Struts.

So even when a developer chooses to use Commons FileUpload with Spring, there is no expression rendering of such exception messages in this environment: We just propagate the exception to the Servlet container or to user-specific exception handler methods. So from my perspective, there is nothing we can defensively revise here.

@spring-projects-issues spring-projects-issues added status: invalid in: web type: task labels Jan 11, 2019
@spring-projects-issues spring-projects-issues removed the type: task label Jan 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: web status: invalid
Projects
None yet
Development

No branches or pull requests

2 participants