Summary

DoS via OOM owing to not properly checking of list bounds.

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Denial of Service

Maximum security rating

Important

Recommendation

Upgrade to Struts 2.5.31 or 6.1.2.1 or greater

Affected Software

Struts 2.0.0 - Struts 6.1.2

Reporters

Matthew McClain

CVE Identifier

CVE-2023-34149

Problem

WW-4620 added autoGrowCollectionLimit to XWorkListPropertyAccessor, but it only handles setProperty() and not getProperty(). This could lead to OOM if developer has set CreateIfNull to true for the underlying Collection type field.

Solution

Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.

Backward compatibility

No issues expected when upgrading to Struts 2.5.31 or 6.1.2.1

Workaround

Set CreateIfNull to false for Collection type fields (it's by default false if it's not set).

  • No labels