December 11, 2023 at 07:48AM
The Apache Software Foundation released security updates addressing a critical file upload vulnerability in Struts 2, which could be exploited to execute arbitrary code remotely. Tracked as CVE-2023-50164, the flaw impacts Struts versions 2.0.0 to 2.3.37, 2.5.0 to 2.5.32, and 6.0.0 to 6.3.0. The vulnerability was patched in Struts versions 2.5.33 and 6.3.0.2. Apache advises all users to update to the latest web application framework versions to prevent potential attacks.
The meeting notes highlighted an announcement from the Apache Software Foundation regarding a critical-severity file upload vulnerability in the Struts 2 open source development framework. The vulnerability, tracked as CVE-2023-50164, pertains to a flaw in the file upload logic which could enable an attacker to execute arbitrary code remotely. It affects Struts versions 2.0.0 to 2.3.37, versions 2.5.0 to 2.5.32, and versions 6.0.0 to 6.3.0. The vulnerability was patched with the release of Struts versions 2.5.33 and 6.3.0.2. The researcher who reported the vulnerability, Steven Seeley of Source Incite, recommended that all Struts 2 users update to a patched release. Additionally, Apache urged all users to update to the latest web application framework versions, assuring that the upgrade should be straightforward and strongly advising all developers to perform the upgrade. There is no mention of the vulnerability being exploited in malicious attacks, but it is noted that Struts flaws have been targeted in the wild, including in attacks against the US credit reporting agency Equifax.