## Critical Vulnerability Information - **CVE ID**: CVE-2016-1000031 - **Vulnerability Name**: Apache Commons FileUpload DiskFileItem File Manipulation Remote Code Execution - **Component**: Commons FileUpload - **Priority**: Critical - **Affected Versions**: 1.3.2 - **Fixed Versions**: 1.3.3 - **Status**: Closed - **Resolution**: Fixed ### Description **Summary**: - A Java object within the Apache Commons FileUpload library can be manipulated such that, when deserialized, it allows writing or copying files to arbitrary locations on disk. Additionally, this object can be used independently or in conjunction with ysoserial to upload and execute binary files within a single deserialization call. The exploitability depends on how the application implements the FileUpload library. **Background**: - At the end of 2015, FoxGlove Security published an article detailing how to achieve remote code execution on various commercial products using Chris Frohoff’s ysoserial tool, based on a presentation from AppSec Cali in January 2015. The ysoserial tool leverages "gadgets" to perform "unintended" operations within Apache Commons Collections, Groovy, and Spring, ultimately executing Runtime.getRuntime().exec() to enable remote Java code execution. The DiskFileItem class in the FileUpload library is serializable and implements custom writeObject() and readObject() methods, making it susceptible to exploitation. ### Related Links: - [http://www.tenable.com/security/research/tra-2016-12](http://www.tenable.com/security/research/tra-2016-12)