Versions Compared

Old Version 2

changes.mady.by.user Yasser Zamani

Saved on

compared with

New Version Current

changes.mady.by.user Yasser Zamani

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: fix version

...

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Denial of Service

Maximum security rating

Important

Recommendation

Upgrade to Struts 2.5.30.1 31 or 6.1.2.1 or greater

Affected Software

Struts 2.0.0 - Struts 6.1.2

Reporters

Matthew McClain

CVE Identifier

CVE-2023-34149

...

WW-4620 added autoGrowCollectionLimit to XWorkListPropertyAccessor, but it only handles setProperty() and not getProperty(). This could lead to OOM if developer has set CreateIfNull to true for the underlying Collection type field.

Solution

Upgrade to Struts 2.5.30.1 31 or 6.1.2.1 or greater.

Backward compatibility

No issues expected when upgrading to Struts 2.5.30.131 or 6.1.2.1

Workaround

N/ASet CreateIfNull to false for Collection type fields (it's by default false if it's not set).