Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-supply web software framework that could result in distant code execution.
Tracked as CVE-2023-50164, the vulnerability is rooted in a flawed “file upload logic” that could empower unauthorized path traversal and could be exploited less than the instances to add a destructive file and attain execution of arbitrary code.
Struts is a Java framework that employs the Product-View-Controller (MVC) architecture for building business-oriented web applications.
Steven Seeley of Source Incite has been credited with getting and reporting the flaw, which impacts the pursuing versions of the software program –
- Struts 2.3.37 (EOL)
- Struts 2.5. – Struts 2.5.32, and
- Struts 6.. – Struts 6.3.
Patches for the bug are obtainable in variations 2.5.33 and 6.3..2 or bigger. There are no workarounds that remediate the issue.
“All builders are strongly recommended to complete this upgrade,” the venture maintainers reported in an advisory posted final week. “This is a fall-in alternative and upgrade need to be clear-cut.”
Although there is no proof that the vulnerability is remaining maliciously exploited in serious-earth attacks, a prior security flaw in the software program (CVE-2017-5638, CVSS rating: 10.) was weaponized by danger actors to breach customer credit history reporting company Equifax in 2017.
Observed this post appealing? Comply with us on Twitter and LinkedIn to browse much more exceptional content material we publish.
Some pieces of this post are sourced from: