CVE-2023-50164

Summary

An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Struts2.0.0 <= 2.5.32affected
Apache Software FoundationApache Struts6.0.0 <= 6.3.0.1affected

Weaknesses

  • CWE-552: CWE-552 Files or Directories Accessible to External Parties

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

References