Overview:
The Apache Software Foundation has released a security advisory addressing a critical security flaw in the Apache Struts 2 open-source web application framework, tracked as CVE-2023-50164. This vulnerability poses a significant risk of remote code execution due to a flawed “file upload logic” that enables unauthorized path traversal.
Details of the Vulnerability:
The vulnerability resides in the framework’s handling of file upload parameters. An unauthenticated, remote attacker could exploit this flaw to perform unauthorized path traversal, potentially allowing navigation through the server’s directory structure. This could lead to the upload of a malicious file and, ultimately, result in remote code execution.
Affected Versions:
The impact spans multiple versions, including:
- Struts 2.0.0 through 2.5.32
- Struts 6.0.0 through 6.3.0.1
Mitigation Steps:
Patches for the vulnerability are available in Apache Struts versions 2.5.33 and 6.3.0.2 or greater. The project maintainers strongly advise all developers to perform this upgrade, as it is a straightforward drop-in replacement.
Historical Context:
While there is currently no evidence of malicious exploitation in real-world attacks, it is crucial to note that a prior security flaw in Apache Struts (CVE-2017-5638) was exploited by threat actors in 2017, leading to a significant data breach. This underscores the importance of promptly addressing such vulnerabilities to prevent potential exploitation.
References:
- https://thehackernews.com/2023/12/new-critical-rce-vulnerability.html
- https://www.helpnetsecurity.com/2023/12/08/cve-2023-50164/
- https://securityaffairs.com/155643/hacking/apache-struts-2-critical-flaw.html?web_view=true
- https://threatprotect.qualys.com/2023/12/08/apache-struts2-remote-code-execution-vulnerability-cve-2023-50164/
- https://cwiki.apache.org/confluence/display/WW/S2-066
- https://nvd.nist.gov/vuln/detail/CVE-2023-50164