CVE-2023-41835: Apache Struts Improper Control of Dynamically-Managed Code Resources vulnerability
(updated )
When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fix this issue.
References
- github.com/advisories/GHSA-729q-fcgp-r5xh
- github.com/apache/struts
- github.com/apache/struts/commit/3292152f8c0a77ee4827beede82b6580478a2c2a
- github.com/apache/struts/commit/4c044f12560e22e00520595412830f9582d6dac7
- github.com/apache/struts/commit/bf54436869c264941dd192c752a4abfaa65d3711
- lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft
- nvd.nist.gov/vuln/detail/CVE-2023-41835
- security.netapp.com/advisory/ntap-20231013-0001
- www.openwall.com/lists/oss-security/2023/12/09/1
Code Behaviors & Features
Detect and mitigate CVE-2023-41835 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →