Apache Struts 2 Remote Code Execution Vulnerability (CVE-2023-50164)

Dec 13, 2023 GMT+08:00

I. Overview

Recently, Apache Struts has a major remote code execution vulnerability (CVE-2023-50164) in specific Apache Struts2 versions. Due to a defect in the file upload logic, attackers can manipulate file upload parameters to enable path traversal, which allows malicious file uploading. Successful exploitation of the vulnerability can cause remote code execution.

Apache Struts2 is a popular Java web application framework. If you are an Apache Struts2 user, check your versions and implement timely security hardening.

Reference

https://cwiki.apache.org/confluence/display/WW/S2-066

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache Struts 2.5.0 - 2.5.32

Apache Struts 6.0.0 - 6.3.0

Secure versions:

Apache Struts >= 2.5.33

Apache Struts >= 6.3.0.2

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.

https://struts.apache.org/download.cgi

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.