Incomplete Cleanup in org.apache.struts:struts2-assembly

CVE-2023-41835

org.apache.struts:struts2-assembly
org.apache.struts:struts2-core
org.apache.struts:struts2-parent

High

7.5/10

Summary

When a Multipart request is performed but some of the fields exceed the "maxStringLength" limit, the upload files will remain in "struts.multipart.saveDir" even if the request has been denied. Users are recommended to upgrade to versions, that fixes this issue. This issue affects the package org.apache.struts:struts2-core versions through 2.5.31, 6.0.0 through 6.1.2.1, and 6.2.0 through 6.3.0.0.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-459 - Incomplete Cleanup

The software does not properly "clean up" and remove temporary or supporting resources after they have been used.

References

Advisory
Mail Thread
Advisory
Release Note
Issue

Advisory Timeline

Published Dec 05, 2023

Incomplete Cleanup in org.apache.struts:struts2-assembly

CVE-2023-41835

Summary

CWE-459 - Incomplete Cleanup

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS