CVE-2023-41835

HIGH

Struts <2.5.32-6.3.0.1 - Info Disclosure

Title source: llm

Description

When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue.

References (3)

[Mailing List, Third Party Advisory] https://www.openwall.com/lists/oss-security/2023/12/09/1

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20231013-0001/

[Mailing List, Release Notes] https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft

Scores

CVSS v3 7.5

EPSS 0.0022

EPSS Percentile 44.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-459

Status published

Products (2)

apache/struts 2.0.0 - 2.5.32

org.apache.struts/struts2-core 6.2.0 - 6.3.0.1Maven

Published Dec 05, 2023

Tracked Since Feb 18, 2026