A critical security vulnerability has been discovered in Apache Struts 2, a popular open-source web application framework, potentially exposing numerous organizations to severe cyber threats.
The flaw, identified as CVE-2023-50164, allows attackers to manipulate file upload parameters, enabling unauthorized path traversal and potentially leading to remote code execution (RCE).
The vulnerability affects multiple versions of Apache Struts 2, including Struts 2.0.0 to 2.3.37 (which is end-of-life), Struts 2.5.0 to 2.5.32, and Struts 6.0.0 to 6.3.0.
With a critical CVSS score of 9.8, this flaw poses a significant threat to organizations using vulnerable versions of the framework.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
The core issue lies in the flawed file upload logic of Apache Struts 2. Attackers can exploit this vulnerability by manipulating file upload parameters, potentially uploading malicious files to arbitrary locations on the server.
Once uploaded, these files can be executed, granting the attacker full control over the system.
A key aspect of this vulnerability is its exploitation of case-sensitive HTTP parameters. Attackers can bypass usual checks and validations by sending a capitalized parameter and later using a lowercase parameter with the same name in a request.
Impact and Risks
The potential impact of CVE-2023-50164 is severe. Successful exploitation could lead to:
- Remote code execution
- Unauthorized access to sensitive data
- System compromise
- Potential for further attacks within the network
The Apache Struts project has released patched versions to address this critical vulnerability. Organizations are strongly advised to upgrade to one of the following versions immediately:
- Apache Struts 2.5.33
- Apache Struts 6.3.0.2 or later
No known workarounds exist for this vulnerability, making the upgrade crucial for maintaining security.
While upgrading is essential, organizations should also implement additional security measures:
- Review and restrict file upload configurations
- Implement a Web Application Firewall (WAF)
- Regularly update all software components
- Monitor applications for suspicious activities
Organizations using Apache Struts 2 must take immediate action to protect their systems from potential exploitation.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free