Bug 2253938 (CVE-2023-50164) - CVE-2023-50164 Apache Struts: File upload component had a directory traversal vulnerability
Summary: CVE-2023-50164 Apache Struts: File upload component had a directory traversal...
Keywords:
Status: NEW
Alias: CVE-2023-50164
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2253939
TreeView+ depends on / blocked
 
Reported: 2023-12-11 06:03 UTC by Avinash Hanwate
Modified: 2025-01-01 08:28 UTC (History)
88 users (show)

Fixed In Version: Struts 2.5.33, Struts 6.3.0.2
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Avinash Hanwate 2023-12-11 06:03:58 UTC 
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.

https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj
https://struts.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-50164
Note You need to log in before you can comment on or make changes to this bug.