CVE-2023-41835 is a high-severity vulnerability classified under CWE-459 (Incomplete Cleanup) affecting Apache Struts, a widely used open-source framework for creating Java web applications. The vulnerability arises when a multipart HTTP request is processed, and some fields exceed the configured maxStringLength limit. In such cases, although the request is denied, the uploaded files are not properly cleaned up and remain stored in the directory specified by the struts.multipart.saveDir configuration. This incomplete cleanup can lead to unintended file accumulation on the server, potentially causing denial of service (DoS) conditions due to disk space exhaustion or exposing sensitive data if the leftover files contain confidential information. The vulnerability affects Apache Struts versions from 2.0.0 up to 6.1.2.1. The Apache Software Foundation has addressed this issue in versions 2.5.32, 6.1.2.2, and 6.3.0.1 or later. The CVSS v3.1 base score is 7.5, reflecting a high severity with a vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality or integrity (C:N/I:N), but high impact on availability (A:H). There are no known exploits in the wild at the time of publication. The vulnerability does not allow direct code execution or data manipulation but can degrade service availability by filling storage with leftover files from denied multipart requests. This issue is particularly relevant for web applications handling file uploads where strict input size limits are enforced.

For European organizations, the impact of CVE-2023-41835 can be significant, especially for those relying on Apache Struts-based web applications that handle file uploads. The incomplete cleanup of files can lead to disk space exhaustion, resulting in denial of service conditions that disrupt business operations, customer access, and internal workflows. This can affect sectors such as finance, healthcare, government, and e-commerce, where availability and reliability of web services are critical. Additionally, residual files might contain sensitive or personal data, raising compliance concerns under GDPR if such data is exposed or improperly retained. The vulnerability does not directly compromise confidentiality or integrity but poses a risk to service continuity and data lifecycle management. Organizations with high traffic or large file upload volumes are at greater risk of rapid resource depletion. The lack of required authentication and user interaction means attackers can exploit this remotely and automatically, increasing the threat surface. Although no active exploits are reported, the potential for automated abuse exists, making timely remediation important to maintain service availability and regulatory compliance.

European organizations should prioritize upgrading Apache Struts to versions 2.5.32, 6.1.2.2, 6.3.0.1, or later, as these versions include fixes for the incomplete cleanup issue. In addition to patching, organizations should implement the following specific mitigations: 1) Configure strict monitoring and alerting on disk usage in directories used for multipart uploads (struts.multipart.saveDir) to detect abnormal file accumulation early. 2) Implement automated cleanup scripts or scheduled tasks to remove orphaned files in the upload directory, ensuring no residual files remain from denied requests. 3) Review and tighten maxStringLength and other multipart request size limits to balance security and usability, preventing excessive file uploads. 4) Employ web application firewalls (WAFs) to detect and block suspicious multipart requests that exceed size limits or exhibit anomalous patterns. 5) Conduct regular audits of file upload handling and storage policies to ensure compliance with data retention and privacy regulations. 6) Isolate upload directories on separate partitions or storage volumes to contain potential disk exhaustion impact and facilitate easier cleanup. These targeted measures complement patching and reduce the risk of denial of service and data exposure related to this vulnerability.