SRC-2023-0004 : Apache Struts Security Feature Bypass Remote Code Execution Vulnerability

CVE ID: CVE-2023-50164

CVSS Score: 9.8, (/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Vendors: Apache

Affected Products: Struts 2.0.0 - Struts 2.3.37, Struts 2.5.0 - Struts 2.5.32, Struts 6.0.0 - Struts 6.3.0

Vulnerability Details:

This vulnerability may allow remote attackers to execute arbitrary code on applications utilizing affected installations of Apache Struts. Depending on the context, authentication may not be required to exploit this vulnerability.

The specific flaw exists within the underlying http parameter parsing logic. The issue results from the control specific http parameters by allowing the attacker to specify uppercase characters. An attacker can leverage this vulnerability to trigger a directory traversal which may result in the execution of arbitrary code in the context of the application.

Vendor Response:

Apache has issued an update to correct this vulnerability. More details can be found at: https://cwiki.apache.org/confluence/display/WW/S2-066

Disclosure Timeline:

• 2023-11-08 – Vulnerability reported to [email protected]

• 2023-12-07 – Coordinated public release of advisory

Credit: This vulnerability was discovered by Steven Seeley of Source Incite