Apache has issued a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution.
Tracked as CVE-2023-50164vulnerability is rooted in a flawed “file upload logic” that enables unauthorized path traversal and can be exploited under circumstances to upload a malicious file and achieve arbitrary code execution.
Struts is a Java framework that uses Model-View-Controller (MVC) architecture for building business-oriented web applications.
Steven Seeley of Source Incite is credited with discovering and reporting the bug, which affects the following software versions –
- Struts 2.3.37 (EOL)
- Struts 2.5.0 – Struts 2.5.32, and
- Struts 6.0.0 – Struts 6.3.0
Patches for the bug are available in versions 2.5.33 and 188.8.131.52 or greater. There are no workarounds that will fix the issue.
“All developers are strongly advised to do this upgrade,” the project maintainers SAYS in an advisory posted last week. “It’s a drop-in replacement and the upgrade should be straightforward.”
While there is no evidence that the vulnerability has been exploited maliciously in real-world attacks, a previous software security flaw (CVE-2017-5638CVSS score: 10.0) was armed by threat actors to breach consumer credit reporting agency Equifax in 2017.