The Apache Software Foundation issued security updates to fix a remote code execution vulnerability in the Apache Struts 2 software package.
Apache Struts is an open-source web development framework for Java web applications. It’s widely used to build corporate websites in sectors including education, government, financial services, retail and media.
Tracked as CVE-2023-50164, the vulnerability was described as a path traversal issue that exists due to input validation error when processing directory traversal sequences in path names. The vulnerability could be exploited by a remote hacker to upload a malicious file to the server and execute it. The Flaw impacts Struts 2.0.0 - Struts 2.3.37 (EOL), Struts 2.5.0 -Struts 2.5.32, Struts 6.0.0 - Struts 6.3.0.
While there’s no indication that this vulnerability has been exploited in the wild, users are strongly advised to upgrade to Apache Struts version 6.3.0.2 or later.
Struts vulnerabilities have been repeatedly targeted by hackers over the years, including the infamous hack of the US credit reporting agency Equifax in May 2017.
Earlier this month, Australian software company Atlassian released security updates to address a slew of high-risk vulnerabilities (CVE-2022-1471, CVE-2023-22522, CVE-2023-22524, CVE-2023-22523), all of which, if exploited, could lead to remote code execution.