Apache Struts 2 Vulnerability CVE-2023-50164

Security update addresses a critical path traversal vulnerability that could lead to RCE

Threat ID:: CC-4423
Threat Severity:: Medium
Published:: 14 December 2023 2:57 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Security update addresses a critical path traversal vulnerability that could lead to RCE

Affected platforms

The following platforms are known to be affected:

Versions: 2.0.0 to 2.3.37, 2.5.0 to 2.5.32, 6.0.0 to 6.3.0

Apache Struts 2

Threat details

Introduction

Apache has released a security update for Apache Struts 2 to address a critical path traversal vulnerability, tracked as CVE-2023-50164. Apache Struts 2 is an open-source framework for creating Java web applications. This vulnerability has a CVSSv3 score of 9.8 and could allow a remote attacker to perform remote code execution (RCE).

Exploitation in the wild and proof-of-concept of CVE-2023-50164

This vulnerability is being actively exploited in the wild and proof-of-concept code is publicly available.

Remediation advice

Affected organisations are encouraged to review Apache's security bulletin S2-066 and apply any relevant updates.

Definitive source of threat updates

https://cwiki.apache.org/confluence/display/WW/S2-066

CVE Vulnerabilities

Status Published

CVE-2023-50164

An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.

Last edited: 14 December 2023 3:52 pm