Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03MjlxLWZjZ3AtcjV4aM4AA3kR
Apache Struts Improper Control of Dynamically-Managed Code Resources vulnerability
When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied.
Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fix this issue.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03MjlxLWZjZ3AtcjV4aM4AA3kR
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 5 months ago
Updated: 5 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-729q-fcgp-r5xh, CVE-2023-41835
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-41835
- https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft
- https://github.com/apache/struts/commit/3292152f8c0a77ee4827beede82b6580478a2c2a
- https://github.com/apache/struts/commit/4c044f12560e22e00520595412830f9582d6dac7
- https://github.com/apache/struts/commit/bf54436869c264941dd192c752a4abfaa65d3711
- http://www.openwall.com/lists/oss-security/2023/12/09/1
- https://www.openwall.com/lists/oss-security/2023/12/09/1
- https://github.com/advisories/GHSA-729q-fcgp-r5xh
Blast Radius: 28.4
Affected Packages
maven:org.apache.struts:struts2-core
Dependent packages: 194Dependent repositories: 6,183
Downloads:
Affected Version Ranges: < 2.5.32, >= 6.0.0, < 6.1.2.2, >= 6.2.0, < 6.3.0.1
Fixed in: 2.5.32, 6.1.2.2, 6.3.0.1
All affected versions: 2.0.5, 2.0.6, 2.0.8, 2.0.9, 2.0.11, 2.0.12, 2.0.14, 2.1.2, 2.1.6, 2.1.8, 2.2.1, 2.2.3, 2.3.1, 2.3.3, 2.3.4, 2.3.7, 2.3.8, 2.3.12, 2.3.14, 2.3.15, 2.3.16, 2.3.20, 2.3.24, 2.3.28, 2.3.29, 2.3.30, 2.3.31, 2.3.32, 2.3.33, 2.3.34, 2.3.35, 2.3.36, 2.3.37, 2.5.1, 2.5.2, 2.5.5, 2.5.8, 2.5.10, 2.5.12, 2.5.13, 2.5.14, 2.5.16, 2.5.17, 2.5.18, 2.5.20, 2.5.22, 2.5.25, 2.5.26, 2.5.27, 2.5.28, 2.5.29, 2.5.30, 2.5.31, 6.0.0, 6.0.3, 6.1.1, 6.1.2, 6.2.0, 6.3.0, 6.4.0
All unaffected versions: 2.5.32, 2.5.33