Proof-of-concept code published for Apache Struts vulnerability

A critical vulnerability in Apache Struts could have widespread downstream impacts on vendors that use the framework to build web apps like configuration interfaces.

The remote code execution bug, CVE-2023-50164, was discovered by Steven Seeley of Source Incite, who yesterday posted on X that proof-of-concept code exists for it.

Apache’s advisory states that all Struts developers and users need to upgrade to Struts 2.5.33, 6.3.0.2 or higher releases.

“An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file”, the advisory stated.

It affects three branches of the framework: end-of-life versions from 2.0.0 to 2.3.37; 2.5 to 2.5.32, and 6.0.0 to 6.3.0.

The bug is already having downstream impacts, with networking vendor Cisco first to announce its response.

In an interim advisory, Cisco announced it is investigating which of its products may be impacted.

So far, 27 products are under investigation in Cisco’s collaboration and social media software; network and content security devices; network management and provisioning systems; and voice and unified communications devices.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts