CVE-2023-50164 is a critical vulnerability discovered in Apache Struts2, an extensively used open-source Model-View-Controller (MVC) framework for Java web applications.
Here’s a detailed breakdown based on the latest information.
CVE-2023-50164 allows an attacker to manipulate file upload parameters, enabling path traversal. Under certain conditions, this can lead to the uploading of a malicious file, which can be leveraged to perform Remote Code Execution (RCE).
Impact: This vulnerability poses a serious threat as it could potentially enable remote attackers to execute arbitrary code on affected servers.
- Flawed Component: The vulnerability stems from a defective file upload logic in Apache Struts 2.
- Severity Rating: It has a CVSS 3.x base score of 9.8, categorized as CRITICAL. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that the vulnerability is both highly damaging and easy to exploit.
Apache Struts versions from 2.0.0 up to 2.5.32 and versions from 6.0.0 up to 184.108.40.206 are affected by this vulnerability.
Mitigation and Updates
Apache Struts2 security updates were released to address this critical file upload vulnerability, mitigating the potential for remote code execution.
**Edgio’s platform is not impacted by this vulnerability.
We recommend you take the following actions to protect your application.**
Recommended Action: Users are advised to upgrade to Struts 2.5.33 or Struts 220.127.116.11 or later versions to rectify this issue. If you are unable to immediately upgrade to these versions, Edgio can help you deploy custom security rules to mitigate this threat by blocking any file upload using HTTP Forms or multipart content types. It’s crucial to promptly address this vulnerability due to its critical nature and potential for exploitation, so reach out to Edgio’s 24×7 SOC at email@example.com to get help implementing customized virtual patches.