An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache struts |
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Microsoft fixed 36 flaws. Adobe addressed 212. Apple, Google, Cisco, VMware and Atlassian joined the party
It's the last Patch Tuesday of 2023, which calls for celebration – just as soon as you update Windows, Adobe, Google, Cisco, FortiGuard, SAP, VMware, Atlassian and Apple products, of course. Let's start with Apple, since two of the bugs Cupertino disclosed yesterday may have already been used for evil purposes. While the fruit cart's December release fixes all the iThings, there's two especially concerning vulnerabilities in the WebKit (again) web browser engine that affect AppleTVs...
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Seriously, people - please check the stuff you fetch more carefully
Security vendor Sonatype believes developers are failing to address the critical remote code execution (RCE) vulnerability in the Apache Struts 2 framework, based on recent downloads of the code. The vulnerability, tracked as CVE-2023-50164, is rated 9.8 out of 10 in terms of CVSS severity. It is a logic bug in the framework's file upload feature: if an application uses Struts 2 to allow users to upload files to a server, those folks can abuse the vulnerability to save documents where they shoul...