13th December 2023
Summary
Last week, on December 7, 2023, the following critical severity Apache Struts vulnerability was disclosed: CVE-2023-50164 (CVSS:3.1: 9.8) describes that an attacker can manipulate file upload params to enable path traversal, and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Details are available in the Apache Software Foundation security bulletin.
Yesterday Cisco published a security advisory as multiple Cisco products are affected by this vulnerability. Cisco is currently investigating the affected products and their impact. Refer to their security advisory for the latest updates.
Affected Versions
- Apache Struts 2.0.0 through 2.5.32
- Apache Struts 6.0.0 through 6.3.0.1
Recommendations
Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.