An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-Code-Execution.html | Third Party Advisory VDB Entry |
https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj | Mailing List Patch |
https://security.netapp.com/advisory/ntap-20231214-0010/ | Third Party Advisory VDB Entry |
https://www.openwall.com/lists/oss-security/2023/12/07/1 | Mailing List |
Configurations
Configuration 1 (hide)
|
History
20 Dec 2023, 17:58
Type | Values Removed | Values Added |
---|---|---|
References | () https://security.netapp.com/advisory/ntap-20231214-0010/ - Third Party Advisory, VDB Entry | |
References | () http://packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-Code-Execution.html - Third Party Advisory, VDB Entry |
14 Dec 2023, 10:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
13 Dec 2023, 17:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
12 Dec 2023, 17:01
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
References | () https://www.openwall.com/lists/oss-security/2023/12/07/1 - Mailing List | |
References | () https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj - Mailing List, Patch |
07 Dec 2023, 21:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue. |
07 Dec 2023, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
07 Dec 2023, 09:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-12-07 09:15
Updated : 2024-02-05 00:22
NVD link : CVE-2023-50164
Mitre link : CVE-2023-50164
CVE.ORG link : CVE-2023-50164
JSON object : View
Products Affected
apache
- struts
CWE
CWE-552
Files or Directories Accessible to External Parties