1217823 – (CVE-2023-41835) VUL-0: CVE-2023-41835: struts: excessive disk usage during file upload

Bug 1217823 (CVE-2023-41835) - VUL-0: CVE-2023-41835: struts: excessive disk usage during file upload

Summary: VUL-0: CVE-2023-41835: struts: excessive disk usage during file upload

Status:	NEW

Alias:	CVE-2023-41835

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Dario Leidi
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/387116/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-41835:6.5:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-12-05 13:17 UTC by SMASH SMASH
Modified:	2023-12-05 14:15 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2023-12-05 13:17:38 UTC

When a Multipart request is performed but some of the fields exceed the maxStringLength  limit, the upload files will remain in struts.multipart.saveDir  even if the request has been denied.
Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-41835
https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft