Security News > 2023 > December > Four in five Apache Struts 2 downloads are for versions featuring critical flaw

Four in five Apache Struts 2 downloads are for versions featuring critical flaw
2023-12-21 14:13

Security vendor Sonatype believes developers are failing to address the critical remote code execution vulnerability in the Apache Struts 2 framework, based on recent downloads of the code.

It is a logic bug in the framework's file upload feature: if an application uses Struts 2 to allow users to upload files to a server, those folks can abuse the vulnerability to save documents where they shouldn't be allowed to on that remote machine.

Researchers at Sonatype, which operates the Maven Central repository of open source software, has found that between the December 7 disclosure of the flaw and December 18, around 80 percent of Struts downloads from that code silo were for versions that remain vulnerable to CVE-2023-50164.

The low download rate for safe cuts of Struts comes despite the release of proof of concept exploit code that prompted government cyber-advisory services to call for rapid patching of the vulnerability.

Regardless, many industry experts were quick to reaffirm the recommended guidance - which was to upgrade to the latest version of Struts 2 as soon as possible - but noted there was a list of preconditions that had to be met in order for an attack to be successful.

"As we navigate the holiday season, the urgency to address the Struts 2 vulnerability should be a high priority," he blogged.


News URL

https://go.theregister.com/feed/www.theregister.com/2023/12/21/apache_struts_vulnerable_downloads/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-12-07 CVE-2023-50164 Unspecified vulnerability in Apache Struts
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.
network
low complexity
apache
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apache 281 13 549 713 367 1642