CVE-2023-41835 is a vulnerability classified under CWE-459 (Incomplete Cleanup) affecting the Apache Struts framework, a widely used open-source framework for developing Java web applications. The issue arises during multipart HTTP requests when some form fields exceed the configured maxStringLength limit. Under these conditions, uploaded files are saved to the directory specified by struts.multipart.saveDir but are not properly cleaned up if the request is denied due to exceeding the limit. This results in residual files accumulating on the server's filesystem. Over time, this can cause disk space exhaustion, potentially leading to denial of service (DoS) conditions by preventing legitimate uploads or causing application failures. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk profile. The CVSS v3.1 score is 7.5 (high), reflecting the network attack vector, low attack complexity, no privileges required, and no user interaction needed, with a primary impact on availability. Apache has addressed this issue in Struts versions 2.5.32, 6.1.2.2, and 6.3.0.1 and later, recommending immediate upgrades. No public exploits or active exploitation campaigns have been reported to date, but the potential for resource exhaustion makes timely patching critical.

For European organizations, the primary impact of CVE-2023-41835 is on the availability of web applications built on vulnerable Apache Struts versions. Residual files from denied multipart requests can accumulate, leading to disk space exhaustion and service outages. This can disrupt business operations, especially for critical services relying on Struts-based applications, such as government portals, financial services, and e-commerce platforms. The vulnerability does not expose sensitive data or allow code execution but can degrade service reliability and availability, potentially causing reputational damage and financial losses. Organizations with high traffic or frequent file uploads are at greater risk. Additionally, cleanup and recovery efforts post-exploitation can increase operational costs. The lack of authentication requirements and remote exploitability means attackers can easily attempt to exploit this vulnerability at scale, increasing the risk of denial of service attacks targeting European enterprises.

European organizations should immediately upgrade Apache Struts to versions 2.5.32, 6.1.2.2, 6.3.0.1, or later to remediate this vulnerability. In addition to patching, organizations should implement monitoring of the struts.multipart.saveDir directory to detect abnormal file accumulation indicative of exploitation attempts. Automated cleanup scripts or scheduled tasks can be employed as a temporary mitigation to remove orphaned files and prevent disk exhaustion. Web application firewalls (WAFs) can be configured to limit the size of multipart requests or block requests with fields exceeding expected length thresholds. Organizations should also review and tighten maxStringLength configurations to reasonable limits based on application requirements. Regular audits of disk usage and alerting on unusual spikes can help detect early signs of exploitation. Finally, integrating vulnerability scanning and patch management processes will ensure timely detection and remediation of similar issues in the future.