Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-supply web software framework that could result in distant code execution.
Tracked as CVE-2023-50164, the vulnerability is rooted in a flawed “file upload logic” that could empower unauthorized path traversal and could be exploited less than the instances to add a destructive file and attain execution of arbitrary code.
Struts is a Java framework that employs the Product-View-Controller (MVC) architecture for building business-oriented web applications.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
Steven Seeley of Source Incite has been credited with getting and reporting the flaw, which impacts the pursuing versions of the software program –
- Struts 2.3.37 (EOL)
- Struts 2.5. – Struts 2.5.32, and
- Struts 6.. – Struts 6.3.
Patches for the bug are obtainable in variations 2.5.33 and 6.3..2 or bigger. There are no workarounds that remediate the issue.
“All builders are strongly recommended to complete this upgrade,” the venture maintainers reported in an advisory posted final week. “This is a fall-in alternative and upgrade need to be clear-cut.”
Although there is no proof that the vulnerability is remaining maliciously exploited in serious-earth attacks, a prior security flaw in the software program (CVE-2017-5638, CVSS rating: 10.) was weaponized by danger actors to breach customer credit history reporting company Equifax in 2017.
Observed this post appealing? Comply with us on Twitter and LinkedIn to browse much more exceptional content material we publish.
Some pieces of this post are sourced from:
thehackernews.com