Lucene search

GitHub Advisory DatabaseGHSA-729Q-FCGP-R5XH

HistoryDec 05, 2023 - 9:33 a.m.

Apache Struts Improper Control of Dynamically-Managed Code Resources vulnerability

2023-12-0509:33:27

CWE-459

GitHub Advisory Database

github.com

apache struts

multipart request

maxstringlength

vulnerability

file upload

security patch

software

6.8 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

65.2%

JSON

When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied.
Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fix this issue.

CPENameOperatorVersion
org.apache.struts:struts2-corelt2.5.32
org.apache.struts:struts2-corelt6.1.2.2
org.apache.struts:struts2-corelt6.3.0.1

Name	Operator	Version
org.apache.struts:struts2-core	lt	2.5.32
org.apache.struts:struts2-core	lt	6.1.2.2
org.apache.struts:struts2-core	lt	6.3.0.1

References

www.openwall.com/lists/oss-security/2023/12/09/1

github.com/advisories/GHSA-729q-fcgp-r5xh

github.com/apache/struts/commit/3292152f8c0a77ee4827beede82b6580478a2c2a

github.com/apache/struts/commit/4c044f12560e22e00520595412830f9582d6dac7

github.com/apache/struts/commit/bf54436869c264941dd192c752a4abfaa65d3711

lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft

nvd.nist.gov/vuln/detail/CVE-2023-41835