Applications Java based web applications that must accept file uploads must ensure that an adversary cannot upload or transfer malicious files. If a restricted file containing code is executed by the target system, it can result in misuse of privileges. For example, an application that permits HTML files to be uploaded could allow malicious code to be executed - an attacker can submit a valid HTML file with a cross-site-scripting payload that will execute in the absence of an output escaping routine. For this reason, many applications restrict the type of files that can be uploaded.
It may also be possible to upload files with dangerous extensions such as .exe and .sh which may cause arbitrary code execution on server-side applications.
...
However, this approach does not ensure that the uploaded file conforms to the security requirements as interceptor checks can be trivially bypassed. If an attacker uses a proxy tool to change the content type in the raw HTTP request in transit, the framework would not prevent the file's upload. Consequently, an attacker can upload a malicious file having a .exe extension.
This code appears to violate ERR08-J. Do not catch NullPointerException or any of its ancestors. But it does not violate that rule, because it falls under the exception ERR08-EX2.
...
The AutoDetectParser selects the best available parser based on the content type of file to be parsed.
Applicability
An arbitrary file upload vulnerability could result in privilege escalation and execution of arbitrary code.
Bibliography
...