Bug 2252931 (CVE-2023-41835) - CVE-2023-41835 struts: Excessive disk usage during file upload
Summary: CVE-2023-41835 struts: Excessive disk usage during file upload
Keywords:
Status: NEW
Alias: CVE-2023-41835
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2252932
TreeView+ depends on / blocked
 
Reported: 2023-12-05 10:28 UTC by Pedro Sampaio
Modified: 2024-05-03 18:49 UTC (History)
89 users (show)

Fixed In Version: struts 2.5.32, struts 6.1.2.2, struts 6.3.0.1
Doc Type: ---
Doc Text:
A flaw was found in struts. When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in 'struts.multipart.saveDir', even if the request has been denied.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2023-12-05 10:28:43 UTC 
When a Multipart request is performed but some of the fields exceed the maxStringLength  limit, the upload files will remain in struts.multipart.saveDir  even if the request has been denied.
Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue.

References:

https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft
Note You need to log in before you can comment on or make changes to this bug.