CVE-2023-41835: Improper Control of Dynamically-Managed Code Resources
(updated )
When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue.
References
- github.com/advisories/GHSA-729q-fcgp-r5xh
- github.com/apache/struts/commit/3292152f8c0a77ee4827beede82b6580478a2c2a
- github.com/apache/struts/commit/4c044f12560e22e00520595412830f9582d6dac7
- github.com/apache/struts/commit/bf54436869c264941dd192c752a4abfaa65d3711
- lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft
- nvd.nist.gov/vuln/detail/CVE-2023-41835
Detect and mitigate CVE-2023-41835 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →