CVE-2023-41835

2023-12-0509:15:07

CWE-459

[email protected]

web.nvd.nist.gov

multipart request

maxstringlength

struts.multipart.savedir

security issue

cve-2023-41835

upgrade

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.2 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

66.4%

JSON

When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied.
Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue.

Affected configurations

Vulners

NVD

Node

apachestrutsRange≤2.5.31

apachestrutsRange≤6.3.0

CPENameOperatorVersion
apache:strutsapache strutslt2.5.32
apache:strutsapache strutslt6.3.0.1

CPE	Name	Operator	Version
apache:struts	apache struts	lt	2.5.32
apache:struts	apache struts	lt	6.3.0.1

CNA Affected

[
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "org.apache.struts",
    "product": "Apache Struts",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "2.5.31",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "6.3.0",
        "status": "affected",
        "version": "6.1.2.1",
        "versionType": "semver"
      }
    ]
  }
]