CVE-2023-34396

CWE-770 — Allocation without Limits6 documents6 sources

Severity

7.5HIGH

EPSS

0.1%

top 68.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Struts Apache Software Foundation Apache Struts

Timeline

PublishedJun 14

Latest updateNov 21

Description

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 2.8 | Impact: 1.4

Affected Packages5 packages

▶CVEListV5apache_software_foundation/apache_struts2.5.30+1

▶NVDapache/struts6.0.0 — 6.1.2.1+1

▶Mavenorg.apache.struts:struts2-core6.0.0 — 6.1.2.1+1

▶Mavenorg.apache.struts:struts-core1.3.10

▶Mavenstruts:struts1.2.9

🔴Vulnerability Details

GHSA

Apache Struts vulnerable to memory exhaustion↗2023-06-14

▶

OSV

Apache Struts vulnerable to memory exhaustion↗2023-06-14

▶

CVEList

Apache Struts: DoS via OOM owing to no sanity limit on normal form fields in multipart forms↗2023-06-14

▶

📋Vendor Advisories

Atlassian

CVE-2023-34396: DoS (Denial of Service) apache-struts in Bamboo Data Center and Server↗2023-11-21

▶

Oracle

Oracle Oracle Communications Risk Matrix: CMP (Apache Struts) — CVE-2023-34396↗2023-10-15

▶