The Apache Software Foundation addressed a critical remote code execution vulnerability in the Apache Struts 2 open-source framework.
The Apache Software Foundation released security updates to address a critical file upload vulnerability in the Struts 2 open-source framework. Successful exploitation of the flaw, tracked as CVE-2023-50164, could lead to remote code execution.
A remote attacker can manipulate file upload params to enable paths traversal potentially lead to uploading a malicious file that can be used to execute arbitrary code.
“An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.” reads the advisory published by Apache Software Foundation.
The foundation urges organizations to upgrade to Struts 2.5.33 or Struts 18.104.22.168 or greater.
The vulnerability was reported by Steven Seeley from Source Incite.
Apache did not confirm that the vulnerability has been actively exploited in attacks
(SecurityAffairs – hacking, Apache)