Apache has produced a security advisory warning of a critical security flaw in the Struts 2 open-resource web application framework that could final result in distant code execution.
Tracked as CVE-2023-50164, the vulnerability is rooted in a flawed “file add logic” that could empower unauthorized route traversal and could be exploited underneath the situations to upload a malicious file and realize execution of arbitrary code.
Struts is a Java framework that uses the Design-View-Controller (MVC) architecture for creating business-oriented web apps.
Steven Seeley of Source Incite has been credited with discovering and reporting the flaw, which impacts the following variations of the computer software –
- Struts 2.3.37 (EOL)
- Struts 2.5. – Struts 2.5.32, and
- Struts 6.. – Struts 6.3.
Patches for the bug are offered in variations 2.5.33 and 6.3..2 or greater. There are no workarounds that remediate the issue.
“All builders are strongly advised to conduct this update,” the job maintainers said in an advisory posted final week. “This is a fall-in alternative and update need to be uncomplicated.”
While there is no evidence that the vulnerability is becoming maliciously exploited in authentic-globe attacks, a prior security flaw in the software (CVE-2017-5638, CVSS score: 10.) was weaponized by risk actors to breach client credit rating reporting agency Equifax in 2017.
Identified this write-up intriguing? Adhere to us on Twitter and LinkedIn to browse much more exceptional information we post.
Some parts of this article are sourced from:
thehackernews.com