Main Vulnerability Database SB2020051822

SB2020051822 - Arbitrary file upload in GWTUpload

Published: May 18, 2020 Updated: August 8, 2020

Security Bulletin ID SB2020051822

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Arbitrary file upload (CVE-ID: CVE-2020-13128)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

An issue was discovered in Manolo GWTUpload 1.0.3. server/UploadServlet.java (the servlet for handling file upload) accepts a delay parameter that causes a thread to sleep. It can be abused to cause all of a server's threads to sleep, leading to denial of service.

Remediation

Install update from vendor's website.

References

https://github.com/manolo/gwtupload/issues/33
https://logicaltrust.net/blog/2020/02/gwt-upload.html