Apache Struts: DoS via OOM owing to no sanity limit on normal form fields in multipart forms
CVE-2023-34396

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Struts
Vendor: CVE Published:; 14 June 2023

What is CVE-2023-34396?

A resource management flaw exists in Apache Struts that could allow an attacker to cause excessive resource consumption by failing to limit resource allocation. This vulnerability affects versions of Apache Struts up to 2.5.30 and 6.1.2. To mitigate potential risks, users are advised to upgrade to Apache Struts version 2.5.31 or 6.1.2.1 or above.

Affected Version(s)

Apache Struts 0 <= 2.5.30

Apache Struts 0 <= 6.1.2

References

https://cwiki.apache.org/confluence/display/WW/S2-064

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/06/14/3

https://security.netapp.com/advisory/ntap-20230706-0005/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 14, 2023
Vulnerability Reserved
Jun 4, 2023

Credit

Matthew McClain