Home > Security Bulletins > Apache Struts Vulnerability Affecting Cisco Products

Apache Struts Vulnerability Affecting Cisco Products

13th December 2023

Summary

Last week, on December 7, 2023, the following critical severity Apache Struts vulnerability was disclosed: CVE-2023-50164 (CVSS:3.1: 9.8) describes that an attacker can manipulate file upload params to enable path traversal, and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Details are available in the Apache Software Foundation security bulletin.

Yesterday Cisco published a security advisory as multiple Cisco products are affected by this vulnerability. Cisco is currently investigating the affected products and their impact. Refer to their security advisory for the latest updates.

 

Affected Versions

  • Apache Struts 2.0.0 through 2.5.32
  • Apache Struts 6.0.0 through 6.3.0.1

 

Recommendations

Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.