CVE-2023-50164 – org.apache.struts:struts2-core

Package

Manager: maven
Name: org.apache.struts:struts2-core
Vulnerable Version: >=2.0.0 <2.5.33 || >=6.0.0 <6.3.0.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.92864 pctl0.99757

Details

Apache Struts vulnerable to path traversal An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.

Metadata

Created: 2023-12-07T09:30:45Z
Modified: 2025-02-13T19:28:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-2j39-qcjm-428w/GHSA-2j39-qcjm-428w.json
CWE IDs: ["CWE-552"]
Alternative ID: GHSA-2j39-qcjm-428w
Finding: F123
Auto approve: 1