13th December 2023
Last week, on December 7, 2023, the following critical severity Apache Struts vulnerability was disclosed: CVE-2023-50164 (CVSS:3.1: 9.8) describes that an attacker can manipulate file upload params to enable path traversal, and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Details are available in the Apache Software Foundation security bulletin.
Yesterday Cisco published a security advisory as multiple Cisco products are affected by this vulnerability. Cisco is currently investigating the affected products and their impact. Refer to their security advisory for the latest updates.
- Apache Struts 2.0.0 through 2.5.32
- Apache Struts 6.0.0 through 184.108.40.206
Users are recommended to upgrade to versions Struts 2.5.33 or Struts 220.127.116.11 or greater to fix this issue.