#VU12312 Desereliazation of untrusted data

Published: 2018-05-01 | Updated: 2021-07-19

Vulnerability identifier: #VU12312

Vulnerability risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1000031


Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Commons FileUpload
Server applications / Frameworks for developing and running applications

Vendor: Apache Foundation

The vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the target system.

The weakness exists in DiskFileItem class of the FileUpload library due to deserialization of untrusted data. A remote attacker can execute arbitrary code under the context of the current process.

Successful exploitation of the vulnerability may result in system compromise.

Install update from vendor's website.

Vulnerable software versions

Apache Commons FileUpload: 1.3.2


External links

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability