CVE-2023-41835 — Apache Struts Improper Control of Dynamically-Managed Code Resources vulnerabili

Description

When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fix this issue.

How to fix CVE-2023-41835

To remediate CVE-2023-41835, upgrade the affected package to a fixed version below.

—upgrade to 6.3.0.1 or later

Is CVE-2023-41835 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 6.2.0, < 6.3.0.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-41835
PATCHgithub.com/apache/struts
WEBgithub.com/apache/struts/commit/3292152f8c0a77ee4827beede82b6580478a2c2a
WEBgithub.com/apache/struts/commit/4c044f12560e22e00520595412830f9582d6dac7