CVE-2023-34396

Name of the Vulnerable Software and Affected Versions Apache Struts versions through 2.5.30 Apache Struts versions through 6.1.2

Description The issue is related to the allocation of resources without limits or throttling, which can lead to a denial of service via out of memory (OOM) due to no sanity limit on normal form fields in multipart forms. When a Multipart request has non-file normal form fields, Struts brings them into memory as Strings without checking their sizes, potentially causing an OOM if the developer has set struts.multipart.maxSize to a value equal to or greater than the available memory. This can allow an unauthenticated attacker to expose assets in the environment susceptible to exploitation, with no impact to confidentiality, no impact to integrity, and high impact to availability.

Recommendations Upgrade to Struts 2.5.31 or 6.1.2.1 or greater As a temporary workaround, consider restricting the use of multipart forms or setting a reasonable value for struts.multipart.maxSize to minimize the risk of exploitation.