CVE-2023-34149

Name of the Vulnerable Software and Affected Versions Apache Struts versions through 2.5.30 Apache Struts versions through 6.1.2

Description The issue is related to the allocation of resources without limits or throttling, which can lead to a denial of service via out of memory (OOM) due to not properly checking list bounds. When a Multipart request has non-file normal form fields, Struts brings them into memory as Strings without checking their sizes, potentially leading to OOM if the developer has set struts.multipart.maxSize to a value equal to or greater than the available memory.

Recommendations Upgrade to Struts 2.5.31 or 6.1.2.1 or greater. As a temporary workaround, consider setting a lower value for struts.multipart.maxSize to minimize the risk of exploitation. Restrict access to Multipart requests to minimize the risk of denial of service attacks.