CVE-2023-34396 (High) detected in struts2-core-2.1.8.jar, struts2-core-2.3.15.jar

[mend-for-github-com[bot]]

CVE-2023-34396 - High Severity Vulnerability

Vulnerable Libraries - struts2-core-2.1.8.jar, struts2-core-2.3.15.jar

struts2-core-2.1.8.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Struts2RemeberMeMaven/pom.xml

Path to vulnerable library: /canner/.m2/repository/org/apache/struts/struts2-core/2.1.8/struts2-core-2.1.8.jar,/Struts2RemeberMeMaven/target/Struts2RemeberMeMaven/WEB-INF/lib/struts2-core-2.1.8.jar

Dependency Hierarchy: - :x: **struts2-core-2.1.8.jar** (Vulnerable Library)

struts2-core-2.3.15.jar

Apache Struts 2

Path to dependency file: /Struts2MavenSample/pom.xml

Path to vulnerable library: /Struts2MavenSample/target/Struts2MavenSample-1.0/WEB-INF/lib/struts2-core-2.3.15.jar,/canner/.m2/repository/org/apache/struts/struts2-core/2.3.15/struts2-core-2.3.15.jar

Dependency Hierarchy: - :x: **struts2-core-2.3.15.jar** (Vulnerable Library)

Found in HEAD commit: 4a2d705eb04097186f260a255e43e17302189741

Found in base branch: master

Vulnerability Details

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater

Publish Date: 2023-06-14

URL: CVE-2023-34396

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-4g42-gqrg-4633

Release Date: 2023-06-14

Fix Resolution: 2.5.31

---

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.