An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-Code-Execution.html | Third Party Advisory VDB Entry |
https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj | Mailing List Patch |
https://security.netapp.com/advisory/ntap-20231214-0010/ | Third Party Advisory VDB Entry |
https://www.openwall.com/lists/oss-security/2023/12/07/1 | Mailing List |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: apache
Published: 2023-12-07T08:49:19.853Z
Updated: 2023-12-12T09:26:34.588Z
Reserved: 2023-12-04T08:37:57.468Z
Link: CVE-2023-50164
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-12-07T09:15:07.060
Modified: 2023-12-20T17:58:26.917
Link: CVE-2023-50164
JSON object: View
Redhat Information
No data.
CWE