Researchers have identified a critical vulnerability in Apache Struts that could lead to unauthorised path traversal. This means an attacker can exploit these parameters to navigate the server’s directory structure and upload a malicious file. Once deployed, can lead to Remote Code Execution remote code execution.
The security flaw, identified as CVE-2023-50164, poses a severe threat to systems running certain versions of Apache Struts. This vulnerability is rooted in the framework’s handling of file upload parameters, which, if manipulated, can lead to unauthorized path traversal.
This vulnerability was discovered and reported by security researcher Steven Seeley. The versions of Apache Struts impacted by this vulnerability span a considerable range. Systems running Struts 2.5.0 to Struts 2.5.32 and Struts 6.0.0 to Struts 6.3.0 are at risk. The potential for exploitation in these versions cannot be overstated.
In response to the CVE-2023-50164 flaw, Apache has released updated versions of Struts. Upgrading to Struts 2.5.33 or Struts 6.3.0.2 or later is not just recommended; it’s imperative. This upgrade is the digital equivalent of a vaccine against a virulent cyber threat – a necessary step to ensure the health and security of your web applications.
It is recommended that you take the following steps to further secure your Apache Struts applications:
- Review your file upload configurations: Ensure that your applications are configured to only accept authorized file types and to limit the size of uploaded files.
- Use a web application firewall (WAF): A WAF can help to detect and block malicious traffic.
- Keep your software up-to-date: Regularly update your Apache Struts framework and any other software you are using to the latest version.
- Monitor your applications: Monitor your applications for any suspicious activity that could indicate an attack.
