There is a critical vulnerability in several versions of the Apache Struts framework that can allow an attacker to upload a malicious file and potentially gain remote code execution.
The flaw (CVE-2023-50164) affects versions 2.5.0-2.5.32 and 6.0.0-6.3.0, and the Apache Software Foundation has released updates to fix the bug. The issue is related to the way that Stuts handles file uploads in some circumstances.
“An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution,” the advisory says.
Apache Struts is a popular application development framework that is used widely in enterprises and other environments. Struts has been a popular target for attackers in the past when publicly disclosed vulnerabilities have emerged. Because Struts is so popular for Java app development, the target base is quite large, and attackers have shown the ability to develop exploits for the framework in the past.
Organizations running vulnerable versions of Struts should upgrade to version 2.5.33 or 6.3.0.2 to address the bug.