Bug 2252931 (CVE-2023-41835)

Summary: CVE-2023-41835 struts: Excessive disk usage during file upload
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adupliak, aileenc, anstephe, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, ccranfor, cdewolf, chazlett, chfoley, clement.escoffier, cmiranda, cmoulliard, csutherl, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, drichtar, dsimansk, fjuma, fmariani, fmongiar, gmalinko, gsmet, ibek, ivassile, iweiss, janstey, jclere, jmartisk, jnethert, jpechane, jpoth, jrokos, jscholz, kverlaen, lball, lgao, lthon, matzew, max.andersen, mmadzin, mnovotny, mosmerov, msochure, mstefank, msvehla, mulliken, nwallace, olubyans, pcongius, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, rguimara, rhuss, rjohnson, rkieley, rowaters, rruss, rstancel, rsvoboda, saroy, sbiarozk, smaestri, sthorger, swoodman, szappis, tcunning, tom.jenkinson, tqvarnst, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: struts 2.5.32, struts 6.1.2.2, struts 6.3.0.1 Doc Type: ---
Doc Text:
A flaw was found in struts. When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in 'struts.multipart.saveDir', even if the request has been denied.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2252932    

Description Pedro Sampaio 2023-12-05 10:28:43 UTC 
When a Multipart request is performed but some of the fields exceed the maxStringLength  limit, the upload files will remain in struts.multipart.saveDir  even if the request has been denied.
Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue.

References:

https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft