Security News

Four in five Apache Struts 2 downloads are for versions featuring critical flaw
2023-12-21 14:13

Security vendor Sonatype believes developers are failing to address the critical remote code execution vulnerability in the Apache Struts 2 framework, based on recent downloads of the code. It is a logic bug in the framework's file upload feature: if an application uses Struts 2 to allow users to upload files to a server, those folks can abuse the vulnerability to save documents where they shouldn't be allowed to on that remote machine.

Week in review: Apache Struts vulnerability exploit attempt, EOL Sophos firewalls get hotfix
2023-12-17 09:00

EOL Sophos firewalls get hotfix for old but still exploited vulnerabilityOver a year has passed since Sophos delivered patches for a vulnerability affecting Sophos Firewalls that was being actively exploited by attackers, and now they have pushed additional ones to protect vulnerable EOL devices. Attackers are trying to exploit Apache Struts vulnerabilityAttackers are trying to leverage public proof-of-exploit exploit code for CVE-2023-50164, the recently patched path traversal vulnerability in Apache Struts 2.

Attackers are trying to exploit Apache Struts vulnerability (CVE-2023-50164)
2023-12-14 10:21

Attackers are trying to leverage public proof-of-exploit exploit code for CVE-2023-50164, the recently patched path traversal vulnerability in Apache Struts 2. "Attackers aim to deploy webshells, with some cases targeting the parameter 'fileFileName' - a deviation from the original exploit PoC," Akamai's Security Intelligence Group flagged on Wednesday.

Hackers are exploiting critical Apache Struts flaw using public PoC
2023-12-13 16:19

Hackers are attempting to leverage a recently fixed critical vulnerability in Apache Struts that leads to remote code execution, in attacks that rely on publicly available proof-of-concept exploit code. Apache Struts is an open-source web application framework designed to streamline the development of Java EE web apps, offering a form-based interface and extensive integration capabilities.

New Critical RCE Vulnerability Discovered in Apache Struts 2 - Patch Now
2023-12-12 05:23

Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution. Tracked...

New RCE vulnerability in Apache Struts 2 fixed, upgrade ASAP (CVE-2023-50164)
2023-12-08 11:48

The Apache Struts project has released updates for the popular open-source web application framework, with fixes for a critical vulnerability that could lead to remote code execution. The vulnerability affects Apache Struts versions 2.0.0 through 2.5.32 and 6.0.0 through 6.3.0.1, and has been fixed in Apache Struts versions 2.5.33 and 6.3.0.2.

Apache says Struts 2 security bug wasn't fully fixed in 2020
2022-04-13 21:30

Apache has taken another shot at fixing a critical remote code execution vulnerability in its Struts 2 framework for Java applications - because the first patch, issued in 2020, didn't fully do the trick. The security flaw exists in Struts versions 2.0.0 to 2.5.29, and an attacker could exploit it to gain control of a vulnerable system.

Critical Apache Struts RCE vulnerability wasn't fully fixed, patch now
2022-04-13 14:35

Apache has fixed a critical vulnerability in its vastly popular Struts project that was previously believed to have been resolved but, as it turns out, wasn't fully remedied. Tracked as CVE-2021-31805, the critical vulnerability exists in Struts 2 versions from 2.0.0 up to and including 2.5.29.

Possible Code Execution Flaw in Apache Struts
2020-12-08 19:51

The Apache Software Foundation has released a security update for Struts 2, to address what is described as a "Possible remote code execution" flaw related to the OGNL technology. Tracked as CVE-2020-17530, the newly addressed bug resides in "Forced OGNL evaluation, when evaluated on raw user input in tag attributes," according to an Apache advisory.

Potential Apache Struts 2 RCE flaw fixed, PoCs released
2020-08-17 10:03

Have you already updated your Apache Struts 2 to version 2.5.22, released in November 2019? You might want to, and quickly, as information about a potential RCE vulnerability and PoC exploits for it have been published. "We continue to urge developers building upon Struts 2 to not use % syntax referencing unvalidated user modifiable input in tag attributes, since this is the ultimate fix for this class of vulnerabilities," René Gielen, Struts Project Management Committee chair, added.