GHSA-729q-fcgp-r5xh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-729q-fcgp-r5xh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-729q-fcgp-r5xh/GHSA-729q-fcgp-r5xh.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-729q-fcgp-r5xh
- Aliases
- Published
- 2023-12-05T09:33:27Z
- Modified
- 2024-02-16T08:05:02.483237Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Apache Struts Improper Control of Dynamically-Managed Code Resources vulnerability
- Details
-
When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fix this issue.
- Database specific
{ "nvd_published_at": "2023-12-05T09:15:07Z", "cwe_ids": [ "CWE-459" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-12-05T23:34:18Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2023-41835
- https://github.com/apache/struts/commit/3292152f8c0a77ee4827beede82b6580478a2c2a
- https://github.com/apache/struts/commit/4c044f12560e22e00520595412830f9582d6dac7
- https://github.com/apache/struts/commit/bf54436869c264941dd192c752a4abfaa65d3711
- https://github.com/apache/struts
- https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft
- https://www.openwall.com/lists/oss-security/2023/12/09/1
- http://www.openwall.com/lists/oss-security/2023/12/09/1
Affected packages
Maven / org.apache.struts:struts2-core
Package
- Name
- org.apache.struts:struts2-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.struts/struts2-core
Maven / org.apache.struts:struts2-core
Package
- Name
- org.apache.struts:struts2-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.struts/struts2-core
Maven / org.apache.struts:struts2-core
Package
- Name
- org.apache.struts:struts2-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.struts/struts2-core
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.5.32
Affected versions
2.*
2.0.5
2.0.6
2.0.8
2.0.9
2.0.11
2.0.11.1
2.0.11.2
2.0.12
2.0.14
2.1.2
2.1.6
2.1.8
2.1.8.1
2.2.1
2.2.1.1
2.2.3
2.2.3.1
2.3.1
2.3.1.1
2.3.1.2
2.3.3
2.3.4
2.3.4.1
2.3.7
2.3.8
2.3.12
2.3.14
2.3.14.1
2.3.14.2
2.3.14.3
2.3.15
2.3.15.1
2.3.15.2
2.3.15.3
2.3.16
2.3.16.1
2.3.16.2
2.3.16.3
2.3.20
2.3.20.1
2.3.20.3
2.3.24
2.3.24.1
2.3.24.3
2.3.28
2.3.28.1
2.3.29
2.3.30
2.3.31
2.3.32
2.3.33
2.3.34
2.3.35
2.3.36
2.3.37
2.5-BETA1
2.5-BETA2
2.5-BETA3
2.5
2.5.1
2.5.2
2.5.5
2.5.8
2.5.10
2.5.10.1
2.5.12
2.5.13
2.5.14
2.5.14.1
2.5.16
2.5.17
2.5.18
2.5.20
2.5.22
2.5.25
2.5.26
2.5.27
2.5.28
2.5.28.1
2.5.28.2
2.5.28.3
2.5.29
2.5.30
2.5.31