New Critical RCE Vulnerability Discovered in Apache Struts 2 – Patch Now

5 months ago AndyC

Dec 12, 2023NewsroomVulnerability / Software Security

Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution.

New Critical RCE Vulnerability Discovered in Apache Struts 2 - Patch Now

Dec 12, 2023NewsroomVulnerability / Software Security

New Critical RCE Vulnerability Discovered in Apache Struts 2 - Patch Now

Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution.

Tracked as CVE-2023-50164, the vulnerability is rooted in a flawed “file upload logic” that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file and achieve execution of arbitrary code.

Struts is a Java framework that uses the Model-View-Controller (MVC) architecture for building enterprise-oriented web applications.

Steven Seeley of Source Incite has been credited with discovering and reporting the flaw, which impacts the following versions of the software –

  • Struts 2.3.37 (EOL)
  • Struts 2.5.0 – Struts 2.5.32, and
  • Struts 6.0.0 – Struts 6.3.0

Patches for the bug are available in versions 2.5.33 and 6.3.0.2 or greater. There are no workarounds that remediate the issue.

Cybersecurity

“All developers are strongly advised to perform this upgrade,” the project maintainers said in an advisory posted last week. “This is a drop-in replacement and upgrade should be straightforward.”

While there is no evidence that the vulnerability is being maliciously exploited in real-world attacks, a prior security flaw in the software (CVE-2017-5638, CVSS score: 10.0) was weaponized by threat actors to breach consumer credit reporting agency Equifax in 2017.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , ,

More Stories

FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT

FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT

15 hours ago AndyC
North Korean Hackers Deploy New Golang Malware 'Durian' Against Crypto Firms

North Korean Hackers Deploy New Golang Malware ‘Durian’ Against Crypto Firms

1 day ago AndyC
CensysGPT: AI-Powered Threat Hunting for Cybersecurity Pros (Webinar)

CensysGPT: AI-Powered Threat Hunting for Cybersecurity Pros (Webinar)

1 day ago AndyC
Chrome Zero-Day Alert — Update Your Browser to Patch New Vulnerability

Chrome Zero-Day Alert — Update Your Browser to Patch New Vulnerability

1 day ago AndyC
What's the Right EDR for You?

What’s the Right EDR for You?

1 day ago AndyC
Malicious Android Apps Pose as Google, Instagram, WhatsApp, to Steal Credentials

Malicious Android Apps Pose as Google, Instagram, WhatsApp, to Steal Credentials

1 day ago AndyC

You may have missed

Ohio Lottery data breach impacted over 538,000 individuals

Ohio Lottery data breach impacted over 538,000 individuals

3 hours ago AndyC
Ohio Lottery data breach impacted over 538,000 individuals

Ohio Lottery data breach impacted over 538,000 individuals

3 hours ago AndyC
Notorius threat actor IntelBroker claims the hack of the Europol

Notorius threat actor IntelBroker claims the hack of the Europol

3 hours ago AndyC
Notorius threat actor IntelBroker claims the hack of the Europol

Notorius threat actor IntelBroker claims the hack of the Europol

3 hours ago AndyC

How to talk about climate change – and what motivates people to action: An interview with Katharine Hayhoe

9 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.