Security News > 2023 > December > Four in five Apache Struts 2 downloads are for versions featuring critical flaw

Security vendor Sonatype believes developers are failing to address the critical remote code execution vulnerability in the Apache Struts 2 framework, based on recent downloads of the code.

It is a logic bug in the framework's file upload feature: if an application uses Struts 2 to allow users to upload files to a server, those folks can abuse the vulnerability to save documents where they shouldn't be allowed to on that remote machine.

Researchers at Sonatype, which operates the Maven Central repository of open source software, has found that between the December 7 disclosure of the flaw and December 18, around 80 percent of Struts downloads from that code silo were for versions that remain vulnerable to CVE-2023-50164.

The low download rate for safe cuts of Struts comes despite the release of proof of concept exploit code that prompted government cyber-advisory services to call for rapid patching of the vulnerability.

Regardless, many industry experts were quick to reaffirm the recommended guidance - which was to upgrade to the latest version of Struts 2 as soon as possible - but noted there was a list of preconditions that had to be met in order for an attack to be successful.

"As we navigate the holiday season, the urgency to address the Struts 2 vulnerability should be a high priority," he blogged.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/12/21/apache_struts_vulnerable_downloads/