oss-security - CVE-2023-50164: Apache Struts: File upload component had a directory traversal vulnerability

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <0de3c6b5-0b22-ffee-d3c8-2cefbcdf6e80@apache.org>
Date: Thu, 07 Dec 2023 07:38:54 +0000
From: Lukasz Lenart <lukaszlenart@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2023-50164: Apache Struts: File upload component had a
 directory traversal vulnerability 

Severity: critical

Affected versions:

- Apache Struts 2.0.0 through 2.5.32
- Apache Struts 6.0.0 through 6.3.0.1

Description:

An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
Users are recommended to upgrade to versions Struts 2.5.33 or  Struts 6.3.0.1 or greater to fix this issue.

Credit:

Steven Seeley (reporter)

References:

https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj
https://struts.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-50164

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.