Apache Struts: excessive disk usage
CVE-2023-41835

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Struts
Vendor: CVE Published:; 5 December 2023

Summary

A vulnerability exists in Apache Struts that allows uploaded files to persist in the struts.multipart.saveDir directory even if a Multipart request is denied due to fields exceeding the maxStringLength limit. This potential exposure of files can lead to unauthorized access or data leakage. Users are strongly advised to upgrade to Struts version 2.5.32, 6.1.2.2, or 6.3.0.1 and above to mitigate this issue effectively.

Affected Version(s)

Apache Struts 2.0.0 <= 2.5.31

Apache Struts 6.1.2.1 <= 6.3.0

References

https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl...

mailing-listvendor-advisory

https://www.openwall.com/lists/oss-security/2023/12/09/1

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 5, 2023
Vulnerability Reserved
Sep 4, 2023