THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Who should read this | All Struts 2 developers and users |
|---|---|
Impact of vulnerability | Denial of Service |
Maximum security rating | Important |
Recommendation | Upgrade to Struts 2.5.30.1 31 or 6.1.2.1 or greater |
Affected Software | Struts 2.0.0 - Struts 6.1.2 |
Reporters | Matthew McClain |
CVE Identifier | CVE-2023-34149 |
...
Solution
Upgrade to Struts 2.5.30.1 31 or 6.1.2.1 or greater.
Backward compatibility
No issues expected when upgrading to Struts 2.5.30.131 or 6.1.2.1
Workaround
Set CreateIfNull to false for Collection type fields (it's by default false if it's not set).