CVE-2023-50164 – This vulnerability in Apache Struts allows atta... (How to Fix)

Q: What is the severity of CVE-2023-50164?

CVE-2023-50164 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Apache Struts allows attackers to manipulate file upload parameters to perform path traversal attacks, potentially leading to remote code execution. It affects Apache Struts 2 installations with file upload functionality. Organizations using vulnerable Struts versions are at risk.

📋 TL;DR

This vulnerability in Apache Struts allows attackers to manipulate file upload parameters to perform path traversal attacks, potentially leading to remote code execution. It affects Apache Struts 2 installations with file upload functionality. Organizations using vulnerable Struts versions are at risk.

💻 Affected Systems

Products:

Apache Struts

Versions: Apache Struts 2.0.0 through 2.5.32 and Struts 6.0.0 through 6.3.0.1

Operating Systems: All operating systems running vulnerable Struts versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires file upload functionality to be enabled and accessible to attackers.

📦 What is this software?

Struts by Apache

View all CVEs affecting Struts →

Struts by Apache

View all CVEs affecting Struts →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through remote code execution, allowing attackers to execute arbitrary commands, steal data, deploy malware, or pivot to other systems.

🟠

Likely Case

File upload manipulation leading to unauthorized file writes, potential web shell deployment, and limited code execution within the application context.

🟢

If Mitigated

Attack blocked at WAF/IPS layer or fails due to proper input validation and file upload restrictions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available and relatively easy to execute against vulnerable systems.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Struts 2.5.33 or Struts 6.3.0.2

Vendor Advisory: https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj

Restart Required: Yes

Instructions:

1. Download Struts 2.5.33 or 6.3.0.2 from Apache website. 2. Backup current installation. 3. Replace vulnerable Struts JAR files with patched versions. 4. Restart application server. 5. Test application functionality.

🔧 Temporary Workarounds

File Upload Restriction

all

Implement strict file upload validation including file type checking, size limits, and path validation.

WAF Rule Implementation

all

Deploy WAF rules to block path traversal patterns in file upload parameters.

🧯 If You Can't Patch

Disable file upload functionality entirely if not required
Implement application-level input validation to reject path traversal patterns in upload parameters

🔍 How to Verify

Check if Vulnerable:

Check Struts version in application's WEB-INF/lib directory for struts2-core JAR file version.

Check Version:

java -jar struts2-core-*.jar --version or check MANIFEST.MF in JAR file

Verify Fix Applied:

Verify struts2-core JAR file version is 2.5.33 or higher (for Struts 2) or 6.3.0.2 or higher (for Struts 6).

📡 Detection & Monitoring

Log Indicators:

Unusual file upload requests with path traversal patterns
Multiple failed upload attempts with suspicious parameters
Unexpected file writes to system directories

Network Indicators:

HTTP POST requests to file upload endpoints with ../ patterns in parameters
Unusual outbound connections from application server post-upload

SIEM Query:

source="web_logs" AND (uri_path="*upload*" OR uri_path="*file*action") AND (http_params="*../*" OR http_params="*..\\*" OR http_params="*%2e%2e%2f*")

📊 Metadata

CVE ID: CVE-2023-50164

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-552

Published: December 7, 2023

Last Updated: February 13, 2025

🔗 References

http://packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-Code-Execution.html Third Party Advisory,VDB Entry
https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj Mailing List,Patch
https://security.netapp.com/advisory/ntap-20231214-0010/ Third Party Advisory,VDB Entry
https://www.openwall.com/lists/oss-security/2023/12/07/1 Mailing List
http://packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-Code-Execution.html Third Party Advisory,VDB Entry
https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj Mailing List,Patch
https://security.netapp.com/advisory/ntap-20231214-0010/ Third Party Advisory,VDB Entry
https://www.openwall.com/lists/oss-security/2023/12/07/1 Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-50164, you might also want to check these: