Bug 2253938 (CVE-2023-50164) - CVE-2023-50164 Apache Struts: File upload component had a directory traversal vulnerability
Summary: CVE-2023-50164 Apache Struts: File upload component had a directory traversal...
Keywords:
Status: NEW
Alias: CVE-2023-50164
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2253939
TreeView+ depends on / blocked
 
Reported: 2023-12-11 06:03 UTC by Avinash Hanwate
Modified: 2024-05-13 19:43 UTC (History)
90 users (show)

Fixed In Version: Struts 2.5.33, Struts 6.3.0.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Struts. Affected versions of this package are vulnerable to Remote Code Execution (RCE) via manipulation of file upload parameters that enable path traversal. Under certain conditions, uploading a malicious file is possible, which may then be executed on the server.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Avinash Hanwate 2023-12-11 06:03:58 UTC 
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.

https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj
https://struts.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-50164
Note You need to log in before you can comment on or make changes to this bug.