CVE-2023-41835 – org.apache.struts:struts2-core

Package

Manager: maven
Name: org.apache.struts:struts2-core
Vulnerable Version: >=6.2.0 <6.3.0.1 || >=6.0.0 <6.1.2.2 || >=0 <2.5.32

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00197 pctl0.41953

Details

Apache Struts Improper Control of Dynamically-Managed Code Resources vulnerability When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fix this issue.

Metadata

Created: 2023-12-05T09:33:27Z
Modified: 2023-12-12T21:45:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-729q-fcgp-r5xh/GHSA-729q-fcgp-r5xh.json
CWE IDs: ["CWE-459"]
Alternative ID: GHSA-729q-fcgp-r5xh
Finding: F082
Auto approve: 1