CVE-2023-50164 — Apache Struts vulnerable to path traversal

Description

An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.

How to fix CVE-2023-50164

To remediate CVE-2023-50164, upgrade the affected package to a fixed version below.

—upgrade to 2.5.33 or later

Is CVE-2023-50164 being exploited?

Likely — EPSS is 93.7%, placing CVE-2023-50164 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

>= 2.0.0, < 2.5.33

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-50164
PATCHgithub.com/apache/struts
WEBpacketstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-Code-Execution.html
WEBcwiki.apache.org/confluence/display/WW/S2-066