{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-095.pdf"
    },
    "title": "Critical Vulnerability in Apache Struts",
    "serial_number": "2023-095",
    "publish_date": "11-12-2023 13:07:53",
    "description": "On December 7, 2023, The Apache Struts group released an update addressing a critical security vulnerability in Apache Struts. This vulnerability could lead, under some circumstances, to remote code execution.<br>\nIt is recommended to upgrade to a not vulnerable version as soon as possible.<br>\n",
    "url_title": "2023-095",
    "content_markdown": "---\ntitle: 'Critical Vulnerability in Apache Struts'\nnumber: '2023-095'\nversion: '1.0'\noriginal_date: 'December 7, 2023'\ndate: 'December 11, 2023'\n---\n\n_History:_\n\n* _11/12/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn December 7, 2023, The Apache Struts group released an update addressing a critical security vulnerability in Apache Struts. This vulnerability could lead, under some circumstances, to remote code execution [1,2].\n\nIt is recommended to upgrade to a not vulnerable version as soon as possible.\n\n# Technical Details\n\nThe vulnerability, identified as **CVE-2023-50164** with a CVSS score of 9.8 [3], may allow an attacker to manipulate file upload parameters to enable path traversal. Under some circumstances this may allow the attacker to upload a malicious file that can be used to perform remote code execution.\n\n# Affected Products\n\nThis vulnerability affects Apache Struts versions 2.0.0 through 2.5.32 and 6.0.0 through 6.3.0.1 [2].\n\n# Recommendations\n\nIt is recommended to upgrade to a not vulnerable version as soon as possible.\n\n\n# References\n\n[1] <https://www.helpnetsecurity.com/2023/12/08/cve-2023-50164/>\n\n[2] <https://cwiki.apache.org/confluence/display/WW/S2-066>\n\n[3] <https://www.tenable.com/cve/CVE-2023-50164>",
    "content_html": "<p><em>History:</em></p><ul><li><em>11/12/2023 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On December 7, 2023, The Apache Struts group released an update addressing a critical security vulnerability in Apache Struts. This vulnerability could lead, under some circumstances, to remote code execution [1,2].</p><p>It is recommended to upgrade to a not vulnerable version as soon as possible.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability, identified as <strong>CVE-2023-50164</strong> with a CVSS score of 9.8 [3], may allow an attacker to manipulate file upload parameters to enable path traversal. Under some circumstances this may allow the attacker to upload a malicious file that can be used to perform remote code execution.</p><h2 id=\"affected-products\">Affected Products</h2><p>This vulnerability affects Apache Struts versions 2.0.0 through 2.5.32 and 6.0.0 through 6.3.0.1 [2].</p><h2 id=\"recommendations\">Recommendations</h2><p>It is recommended to upgrade to a not vulnerable version as soon as possible.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.helpnetsecurity.com/2023/12/08/cve-2023-50164/\">https://www.helpnetsecurity.com/2023/12/08/cve-2023-50164/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://cwiki.apache.org/confluence/display/WW/S2-066\">https://cwiki.apache.org/confluence/display/WW/S2-066</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.tenable.com/cve/CVE-2023-50164\">https://www.tenable.com/cve/CVE-2023-50164</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}