CUBA Platform and Jmix Local File Storage Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in CUBA Platform versions prior to 7.2.23 and Jmix versions 1.0.0 through 1.6.1 and 2.0.0 through 2.3.4. The issue arises because the local file storage implementation does not limit the size of uploaded files. This lack of restriction allows an attacker to upload excessively large files, potentially filling up the server's storage capacity. As a result, the server may run out of space, leading to an HTTP 500 error and causing a denial-of-service condition. The vulnerability is particularly concerning because the application UI and the generic REST API are usually accessible only to authenticated users.

Impact

Excessive file uploads can exhaust server storage, causing the server to return an HTTP 500 error and disrupt normal operations, creating a denial-of-service condition.

Remediation

Users can upgrade to CUBA Platform version 7.2.23 or Jmix versions 1.6.2 and 2.4.0. For those unable to upgrade immediately, instructions to disable the '/files' REST endpoint in Jmix or CUBA applications are available in the Jmix documentation.