CVE-2023-50164

EUVD-2023-3074
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
Affected Products (NVD)
VendorProductVersion
apachestruts
2.0.0 ≤
𝑥
< 2.5.33
apachestruts
6.0.0 ≤
𝑥
< 6.3.0.2
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libstruts1.2-java
bionic
ignored
focal
dne
jammy
dne
lunar
dne
mantic
dne
trusty
ignored
xenial
ignored
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-Code-Execution.html
https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj
https://security.netapp.com/advisory/ntap-20231214-0010/
https://www.openwall.com/lists/oss-security/2023/12/07/1
http://packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-Code-Execution.html
https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj
https://security.netapp.com/advisory/ntap-20231214-0010/
https://www.openwall.com/lists/oss-security/2023/12/07/1