Apache fixed Critical RCE flaw CVE-2023-50164 in Struts 2

The Apache Software Foundation addressed a critical remote code execution vulnerability in the Apache Struts 2 open-source framework.

The Apache Software Foundation released security updates to address a critical file upload vulnerability in the Struts 2 open-source framework. Successful exploitation of the flaw, tracked as CVE-2023-50164, could lead to remote code execution.

A remote attacker can manipulate file upload params to enable paths traversal potentially lead to uploading a malicious file that can be used to execute arbitrary code.

“An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.” reads the advisory published by Apache Software Foundation.

The foundation urges organizations to upgrade to Struts 2.5.33 or Struts 6.3.0.2 or greater.

The vulnerability was reported by Steven Seeley from Source Incite.

Apache did not confirm that the vulnerability has been actively exploited in attacks

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Apache)