Description
When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue.
Remediation
References
https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft
https://www.openwall.com/lists/oss-security/2023/12/09/1
Related Vulnerabilities
CVE-2023-32314 Vulnerability in npm package vm2
CVE-2020-13935 Vulnerability in maven package org.apache.tomcat:tomcat-websocket
CVE-2022-40955 Vulnerability in maven package org.apache.inlong:sort-connector-base
CVE-2023-23850 Vulnerability in maven package org.jenkins-ci.plugins:synopsys-coverity
CVE-2020-11022 Vulnerability in maven package org.webjars.bowergithub.jquery:jquery