Vulnerabilities > CVE-2023-50164 - Unspecified vulnerability in Apache Struts
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.
Vulnerable Configurations
Related news
- New Critical RCE Vulnerability Discovered in Apache Struts 2 - Patch Now (source)
- Hackers are exploiting critical Apache Struts flaw using public PoC (source)
- Attackers are trying to exploit Apache Struts vulnerability (CVE-2023-50164) (source)
- Week in review: Apache Struts vulnerability exploit attempt, EOL Sophos firewalls get hotfix (source)
- Four in five Apache Struts 2 downloads are for versions featuring critical flaw (source)
- Patch Alert: Critical Apache Struts Flaw Found, Exploitation Attempts Detected (source)
References
- http://packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-Code-Execution.html
- https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj
- https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj
- https://security.netapp.com/advisory/ntap-20231214-0010/
- https://security.netapp.com/advisory/ntap-20231214-0010/
- https://www.openwall.com/lists/oss-security/2023/12/07/1
- https://www.openwall.com/lists/oss-security/2023/12/07/1