Description
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.
Remediation
References
Related Vulnerabilities
Oracle HTTP Server Other Vulnerability (CVE-2020-35166)
Apache read beyond bounds via ap_rwrite() Vulnerability (CVE-2022-28614)
Apache Tomcat Permissions, Privileges, and Access Controls Vulnerability (CVE-2009-2901)
WordPress Plugin GA Universal Cross-Site Request Forgery (1.0)
Restlet Framework XML Injection (aka Blind XPath Injection) Vulnerability (CVE-2013-4221)