CVE-2023-50164

2023-12-0709:15:07

CWE-552

[email protected]

web.nvd.nist.gov

293

cve-2023-50164

vulnerability

file upload

path traversal

rce

struts 2

struts 6

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.09 Low

EPSS

Percentile

94.7%

JSON

An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.

Affected configurations

Vulners

NVD

Node

apachestrutsRange≤2.5.32

apachestrutsRange≤6.3.0.1

CPENameOperatorVersion
apache:strutsapache strutslt2.5.33
apache:strutsapache strutslt6.3.0.2

CPE	Name	Operator	Version
apache:struts	apache struts	lt	2.5.33
apache:struts	apache struts	lt	6.3.0.2

CNA Affected

[
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "org.apache.struts",
    "product": "Apache Struts",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "2.5.32",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "6.3.0.1",
        "status": "affected",
        "version": "6.0.0",
        "versionType": "semver"
      }
    ]
  }
]