Security News > 2023 > December > Four in five Apache Struts 2 downloads are for versions featuring critical flaw
Security vendor Sonatype believes developers are failing to address the critical remote code execution vulnerability in the Apache Struts 2 framework, based on recent downloads of the code.
It is a logic bug in the framework's file upload feature: if an application uses Struts 2 to allow users to upload files to a server, those folks can abuse the vulnerability to save documents where they shouldn't be allowed to on that remote machine.
Researchers at Sonatype, which operates the Maven Central repository of open source software, has found that between the December 7 disclosure of the flaw and December 18, around 80 percent of Struts downloads from that code silo were for versions that remain vulnerable to CVE-2023-50164.
The low download rate for safe cuts of Struts comes despite the release of proof of concept exploit code that prompted government cyber-advisory services to call for rapid patching of the vulnerability.
Regardless, many industry experts were quick to reaffirm the recommended guidance - which was to upgrade to the latest version of Struts 2 as soon as possible - but noted there was a list of preconditions that had to be met in order for an attack to be successful.
"As we navigate the holiday season, the urgency to address the Struts 2 vulnerability should be a high priority," he blogged.
News URL
https://go.theregister.com/feed/www.theregister.com/2023/12/21/apache_struts_vulnerable_downloads/
Related news
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-12-07 | CVE-2023-50164 | Unspecified vulnerability in Apache Struts An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue. | 9.8 |