Note new limit is not enabled by default

2023-02-20 17:08:55 +00:00 · 2023-02-20 17:08:55 +00:00 · c4f32a1329
parent 52410bd989
commit c4f32a1329
1 changed files with 6 additions and 4 deletions
--- a/src/site/xdoc/security-reports.xml
+++ b/src/site/xdoc/security-reports.xml
@ -56,10 +56,12 @@
          <p><b>Important: Denial of Service</b> <a
          href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24998">CVE-2023-24998</a></p>
 
-          <p>Apache Commons FileUpload before 1.5 does not limit the number of
-          request parts to be processed resulting in the possibility of an
-          attacker triggering a DoS with a malicious upload or series of
-          uploads.</p>
+          <p>Apache Commons FileUpload before 1.5 does not provide an option to
+          limit the number of request parts to be processed resulting in the
+          possibility of an attacker triggering a DoS with a malicious upload or
+          series of uploads. Note that, like all of the file upload limits, the
+          new configuration option (FileUploadBase#setFileCountMax) is not
+          enabled by default and must be explicitly configured.</p>

          <p>This was fixed in commit
          <a href="https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17"