Release Notes / Version 11.2304
Table Of Contents
The runtime dependency
commons-fileupload:commons-fileupload
has been removed in order to prevent vulnerability
CVE-2023-24998
. By removing the application property
spring.servlet.multipart.enabled=true
, the Studio server configuration has been changed from using
Commons Fileupload
for handling multipart requests to using the
Servlet API
.
To retain the defaults of the former Commons Fileupload implementation, the following default configurations for the Servlet API implementation have been changed:
spring.servlet.multipart.max-file-size=-1 spring.servlet.multipart.max-request-size=-1
Furthermore, the file size threshold has been set to prevent out-of-memory problems in the Studio server:
spring.servlet.multipart.file-size-threshold=100MB
For further information see the Spring documentation:
(CMS-22731)