Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
There exists a Java Object in this package that can be manipulated in such a way that when it is deserialized, it can write or copy files to disk in arbitrary locations. Furthermore, while the Object can be used alone, this new vector can be integrated with ysoserial to upload and execute binaries in a single deserialization call. This may or may not work depending on an application's implementation of …
The MultipartStream class in this package allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
MultipartStream.java in this package allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
The DiskFileItem class in this package allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.
The default configuration of javax.servlet.context.tempdir in this package uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.