Vulnerability Description
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Struts | >= 2.0.0, < 2.5.33 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-CodThird Party AdvisoryVDB Entry
- https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhjMailing ListPatch
- https://security.netapp.com/advisory/ntap-20231214-0010/Third Party AdvisoryVDB Entry
- https://www.openwall.com/lists/oss-security/2023/12/07/1Mailing List
- http://packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-CodThird Party AdvisoryVDB Entry
- https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhjMailing ListPatch
- https://security.netapp.com/advisory/ntap-20231214-0010/Third Party AdvisoryVDB Entry
- https://www.openwall.com/lists/oss-security/2023/12/07/1Mailing List
FAQ
What is CVE-2023-50164?
CVE-2023-50164 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Use...
How severe is CVE-2023-50164?
CVE-2023-50164 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-50164?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Struts.