VDB

CISA-2023-41835

CISA-2023-41835 PUBLISHED CVSS 7.5 HIGH

Reported by apache · Published December 5, 2023

When a Multipart request is performed but some of the fields exceed the maxStringLength  limit, the upload files will remain in struts.multipart.saveDir  even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue.

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

VendorProductVersions
Apache Software FoundationApache Struts2.0.0, 6.1.2.1
Apache Software FoundationApache Struts6.1.2.1, 2.0.0, 6.1.2.1

Timeline

  • Dec 5, 2023 CVE Published
  • May 28, 2025 CVE Updated

References

  • mailing-listvendor-advisory
Open in Interactive Console →
$ Console Community · 100/wk Open console ›