Summary
Excessive disk usage during file uploadWho should read this | All Struts 2 developers and users |
|---|---|
Impact of vulnerability | Denial of Service |
Maximum security rating | moderate |
Recommendation | Upgrade to Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater |
Affected Software | Struts 2.5.31, Struts 6.1.2.1 - Struts 6.3.0 |
Reporters | Matthew McClain |
CVE Identifier | CVE-2023-41835 |
Problem
When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied.
Solution
Upgrade to Struts 2.5.32, 6.1.2.2, 6.3.0.1 or greater.
Backward compatibility
No issues expected when upgrading to Struts 2.5.32, 6.1.2.2 or 6.3.01
Workaround
n/a