CVE-2023-41835 — Incomplete Cleanup in Apache Struts

CWE-459 — Incomplete Cleanup CWE-913 — Improper Control of Dynamically-Managed Code Resources6 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 54.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Struts Apache Software Foundation Apache Struts

Timeline

PublishedDec 5

Latest updateFeb 20

Description

When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/struts2.0.0 — 2.5.32+1

▶CVEListV5apache_software_foundation/apache_struts2.0.0 — 2.5.31+1

🔴Vulnerability Details

OSV

Apache Struts Improper Control of Dynamically-Managed Code Resources vulnerability↗2023-12-05

▶

CVEList

Apache Struts: excessive disk usage↗2023-12-05

▶

GHSA

Apache Struts Improper Control of Dynamically-Managed Code Resources vulnerability↗2023-12-05

▶

📋Vendor Advisories

Atlassian

CVE-2023-41835: DoS (Denial of Service) org.apache.struts:struts2-core Dependency in Confluence Data Center and Serve r↗2024-02-20

▶

Red Hat

struts: Excessive disk usage during file upload↗2023-12-05

▶