Apache Struts: DoS via OOM owing to no sanity limit on normal form fields in multipart forms
CVE-2023-34396

7.5HIGH

Key Information:

Vendor
Apache
Vendor
CVE Published:
14 June 2023

Summary

A resource management flaw exists in Apache Struts that could allow an attacker to cause excessive resource consumption by failing to limit resource allocation. This vulnerability affects versions of Apache Struts up to 2.5.30 and 6.1.2. To mitigate potential risks, users are advised to upgrade to Apache Struts version 2.5.31 or 6.1.2.1 or above.

Affected Version(s)

Apache Struts 0 <= 2.5.30

Apache Struts 0 <= 2.5.30

Apache Struts 0 <= 6.1.2

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Matthew McClain
.