6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-34149

GHSA ID

GHSA-8f6x-v685-g2xc

EPSS Score

0.19709%

CWE

CWE-770

Published

6/14/2023

Updated

2/13/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-34149

CVE-2023-34149: Apache Struts vulnerable to memory exhaustion

Denial of service via out of memory (OOM) owing to not properly checking of list bounds. When a Multipart request has non-file normal form fields, Struts used to bring them into memory as Strings without checking their sizes. This could lead to OOM if developer has set struts.multipart.maxSize to a value equal or greater than the available memory.

Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-34149

GHSA ID

GHSA-8f6x-v685-g2xc

EPSS Score

0.19709%

CWE

CWE-770

Published

6/14/2023

Updated

2/13/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.struts:struts2-core	maven	< 2.5.31	2.5.31
org.apache.struts:struts2-core	maven	>= 6.0.0, < 6.1.2.1	6.1.2.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper size checking of non-file form fields in multipart requests. The unpatched version of processNormalFormField in JakartaMultiPartRequest.java directly added form field values to memory as Strings without validating their length. The patch introduced a critical size check against maxStringLength (a new configuration parameter), confirming this was the vulnerable point. The function's pre-patch behavior matches the CVE description of uncontrolled memory allocation for form fields.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**ni*l o* s*rvi** vi* out o* m*mory (OOM) owin* to not prop*rly ****kin* o* list *oun*s. W**n * Multip*rt r*qu*st **s non-*il* norm*l *orm *i*l*s, Struts us** to *rin* t**m into m*mory *s Strin*s wit*out ****kin* t**ir siz*s. T*is *oul* l*** to OOM i

Reasoning

T** vuln*r**ility st*ms *rom improp*r siz* ****kin* o* non-*il* *orm *i*l*s in multip*rt r*qu*sts. T** unp*t**** v*rsion o* `pro**ssNorm*l*orm*i*l*` in `J*k*rt*MultiP*rtR*qu*st.j*v*` *ir**tly ***** *orm *i*l* v*lu*s to m*mory *s Strin*s wit*out v*li*

6.5

Basic Information

Concerned about an active attack path?

CVE-2023-34149: Apache Struts vulnerable to memory exhaustion

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI