Summary

Excessive disk usage during file upload

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Denial of Service

Maximum security rating

moderate

Recommendation

Upgrade to Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater

Affected Software

Struts 2.5.31, Struts 6.1.2.1 - Struts 6.3.0

Reporters

Matthew McClain

CVE Identifier

CVE-2023-41835

Problem

When a Multipart request is performed but some of the fields exceed the maxStringLength  limit, the upload files will remain in struts.multipart.saveDir  even if the request has been denied.

Solution

Upgrade to Struts 2.5.32, 6.1.2.2, 6.3.0.1 or greater.

Backward compatibility

No issues expected when upgrading to Struts 2.5.32, 6.1.2.2 or 6.3.01

Workaround

n/a

  • No labels