The Apache Software Foundation released security updates to address a critical file upload vulnerability in the Struts 2 open-source framework. Successful exploitation of the flaw, tracked as CVE-2023-50164, could lead to remote code execution.
A remote attacker can manipulate file upload params to enable paths traversal potentially lead to uploading a malicious file that can be used to execute arbitrary code.
“An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.” reads the advisory published by Apache Software Foundation.
The foundation urges organizations to upgrade to Struts 2.5.33 or Struts 6.3.0.2 or greater.
The vulnerability was reported by Steven Seeley from Source Incite.
Apache did not confirm that the vulnerability has been actively exploited in attacks
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Apache)