New Critical RCE Vulnerability Discovered in Apache Struts 2 – Patch Now
Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution.
Tracked as CVE-2023-50164, the vulnerability is rooted in a flawed “file upload logic” that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file and achieve execution of arbitrary code.
Struts is a Java framework that uses the Model-View-Controller (MVC) architecture for building enterprise-oriented web applications.
Steven Seeley of Source Incite has been credited with discovering and reporting the flaw, which impacts the following versions of the software –
- Struts 2.3.37 (EOL)
- Struts 2.5.0 – Struts 2.5.32, and
- Struts 6.0.0 – Struts 6.3.0
Patches for the bug are available in versions 2.5.33 and 6.3.0.2 or greater. There are no workarounds that remediate the issue.
“All developers are strongly advised to perform this upgrade,” the project maintainers said in an advisory posted last week. “This is a drop-in replacement and upgrade should be straightforward.”
While there is no evidence that the vulnerability is being maliciously exploited in real-world attacks, a prior security flaw in the software (CVE-2017-5638, CVSS score: 10.0) was weaponized by threat actors to breach consumer credit reporting agency Equifax in 2017.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.