Apache has launched a security advisory warning of a vital security flaw within the Struts 2 open-source net software framework that might end in distant code execution.
Tracked as CVE-2023-50164, the vulnerability is rooted in a flawed “file add logic” that might allow unauthorized path traversal and might be exploited below the circumstances to add a malicious file and obtain execution of arbitrary code.
Struts is a Java framework that makes use of the Mannequin-View-Controller (MVC) structure for constructing enterprise-oriented net purposes.
Steven Seeley of Supply Incite has been credited with discovering and reporting the flaw, which impacts the next variations of the software program –
- Struts 2.3.37 (EOL)
- Struts 2.5.0 – Struts 2.5.32, and
- Struts 6.0.0 – Struts 6.3.0
Patches for the bug can be found in variations 2.5.33 and 6.3.0.2 or larger. There aren’t any workarounds that remediate the difficulty.
“All builders are strongly suggested to carry out this improve,” the mission maintainers stated in an advisory posted final week. “This can be a drop-in substitute and improve must be simple.”
Whereas there is no such thing as a proof that the vulnerability is being maliciously exploited in real-world assaults, a previous security flaw within the software program (CVE-2017-5638, CVSS rating: 10.0) was weaponized by risk actors to breach shopper credit score reporting company Equifax in 2017.
