6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-34149

GHSA ID

GHSA-8f6x-v685-g2xc

EPSS Score

0.19709%

CWE

CWE-770

Published

6/14/2023

Updated

2/13/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-34149

CVE-2023-34149: Apache Struts vulnerable to memory exhaustion

Denial of service via out of memory (OOM) owing to not properly checking of list bounds. When a Multipart request has non-file normal form fields, Struts used to bring them into memory as Strings without checking their sizes. This could lead to OOM if developer has set struts.multipart.maxSize to a value equal or greater than the available memory.

Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-34149

CVE-2023-34149:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-34149

GHSA ID

GHSA-8f6x-v685-g2xc

EPSS Score

0.19709%

CWE

CWE-770

Published

6/14/2023

Updated

2/13/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.struts:struts2-core	maven	< 2.5.31	2.5.31
org.apache.struts:struts2-core	maven	>= 6.0.0, < 6.1.2.1	6.1.2.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper size checking of non-file form fields in multipart requests. The unpatched version of processNormalFormField in JakartaMultiPartRequest.java directly added form field values to memory as Strings without validating their length. The patch introduced a critical size check against maxStringLength (a new configuration parameter), confirming this was the vulnerable point. The function's pre-patch behavior matches the CVE description of uncontrolled memory allocation for form fields.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-34149: Apache Struts vulnerable to memory exhaustion

CVE-2023-34149:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

6.5

6.5

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-34149: Apache Struts vulnerable to memory exhaustion

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI