CVE-2013-2186

Publication date 28 October 2013

Last updated 26 May 2025

Ubuntu priority

Description

The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.

Status

Show unmaintained releases

No maintained releases are affected by this CVE.

Package	Ubuntu Release	Status
libcommons-fileupload-java	13.10 saucy	Fixed 1.3-2ubuntu0.1
	13.04 raring	Fixed 1.2.2-1ubuntu0.13.04.1
	12.10 quantal	Fixed 1.2.2-1ubuntu0.12.10.1
	12.04 LTS precise	Fixed 1.2.2-1ubuntu0.12.04.1
	10.04 LTS lucid	Fixed 1.2.1-3ubuntu2.1

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
libcommons-fileupload-java	Upstream: http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java?r1=1460343&r2=1507048

References

Related Ubuntu Security Notices (USN)

USN-2029-1
Apache Commons FileUpload vulnerability
13 November 2013

Other references

https://www.cve.org/CVERecord?id=CVE-2013-2186