CVE-2023-50164

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-50164
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
http://packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-Code-Execution.html Third Party Advisory VDB Entry
https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj Mailing List Patch
https://security.netapp.com/advisory/ntap-20231214-0010/ Third Party Advisory VDB Entry
https://www.openwall.com/lists/oss-security/2023/12/07/1 Mailing List
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*
History

20 Dec 2023, 17:58

Type Values Removed Values Added
References () http://packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-Code-Execution.html - () http://packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-Code-Execution.html - Third Party Advisory, VDB Entry
References () https://security.netapp.com/advisory/ntap-20231214-0010/ - () https://security.netapp.com/advisory/ntap-20231214-0010/ - Third Party Advisory, VDB Entry

14 Dec 2023, 10:15

Type Values Removed Values Added
References
  • () https://security.netapp.com/advisory/ntap-20231214-0010/ -

13 Dec 2023, 17:15

Type Values Removed Values Added
References
  • () http://packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-Code-Execution.html -

12 Dec 2023, 17:01

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
First Time Apache
Apache struts
References () https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj - () https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj - Mailing List, Patch
References () https://www.openwall.com/lists/oss-security/2023/12/07/1 - () https://www.openwall.com/lists/oss-security/2023/12/07/1 - Mailing List
CPE cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*

07 Dec 2023, 21:15

Type Values Removed Values Added
Summary An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or  Struts 6.3.0.1 or greater to fix this issue. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.
References
  • {'url': 'http://www.openwall.com/lists/oss-security/2023/12/07/1', 'name': 'http://www.openwall.com/lists/oss-security/2023/12/07/1', 'tags': [], 'refsource': ''}
  • () https://www.openwall.com/lists/oss-security/2023/12/07/1 -

07 Dec 2023, 15:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2023/12/07/1 -

07 Dec 2023, 09:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-12-07 09:15

Updated : 2023-12-20 17:58

NVD link : CVE-2023-50164

Mitre link : CVE-2023-50164

CVE.ORG link : CVE-2023-50164

JSON object : View

Products Affected

apache

  • struts
CWE
CWE-552

Files or Directories Accessible to External Parties