Bug 1217823 (CVE-2023-41835)

Summary: VUL-0: CVE-2023-41835: struts: excessive disk usage during file upload
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Dario Leidi <dleidi>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/387116/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-41835:6.5:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-12-05 13:17:38 UTC 
When a Multipart request is performed but some of the fields exceed the maxStringLength  limit, the upload files will remain in struts.multipart.saveDir  even if the request has been denied.
Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-41835
https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft