CVE-2023-41835

Description

When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected products

Apache Software Foundation / Apache Struts2.0.0 – 2.5.31
Apache Software Foundation / Apache Struts6.1.2.1 – 6.3.0

References

MAILING_LISThttps://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft
MAILING_LISThttps://www.openwall.com/lists/oss-security/2023/12/09/1