CVE-2023-34149: 
Java vulnerability analysis and mitigation

Apache Struts versions through 2.5.30 and through 6.1.2 were affected by an Allocation of Resources Without Limits or Throttling vulnerability, identified as CVE-2023-34149. The vulnerability was discovered by Matthew McClain and publicly disclosed on June 14, 2023. The issue affects the resource allocation mechanism in Apache Struts, specifically related to list bounds checking (Apache Advisory, OSS Security).

The vulnerability stems from an implementation issue where XWorkListPropertyAccessor's autoGrowCollectionLimit only handles setProperty() and not getProperty(). When developers set CreateIfNull to true for Collection type fields, this limitation could trigger an Out of Memory (OOM) condition. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a network-exploitable vulnerability with low attack complexity (NVD).

Successful exploitation of this vulnerability could lead to a Denial of Service (DoS) condition through Out of Memory (OOM) errors. The impact is primarily focused on system availability, with no direct effect on confidentiality or integrity (NetApp Advisory).

The primary mitigation is to upgrade to Apache Struts version 2.5.31 or 6.1.2.1 or greater. As a workaround, organizations can set CreateIfNull to false for Collection type fields, which is the default setting if not explicitly configured. No backward compatibility issues are expected when upgrading to the fixed versions (Apache Advisory).