Summary
DoS via OOM owing to not properly checking of list bounds.Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Denial of Service |
Maximum security rating | Important |
Recommendation | Upgrade to Struts 2.5.31 or 6.1.2.1 or greater |
Affected Software | Struts 2.0.0 - Struts 6.1.2 |
Reporters | Matthew McClain |
CVE Identifier | CVE-2023-34149 |
Problem
WW-4620 added autoGrowCollectionLimit to XWorkListPropertyAccessor, but it only handles setProperty() and not getProperty(). This could lead to OOM if developer has set CreateIfNull to true for the underlying Collection type field.
Solution
Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.
Backward compatibility
No issues expected when upgrading to Struts 2.5.31 or 6.1.2.1
Workaround
Set CreateIfNull to false for Collection type fields (it's by default false if it's not set).