Tracked as CVE-2023-50164, the vulnerability is rooted in a flawed “file upload logic” that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file and achieve execution of arbitrary code.
Struts is a Java framework that uses the Model-View-Controller (MVC) architecture for building enterprise-oriented web applications.
Steven Seeley of Source Incite has been credited with discovering and reporting the flaw, which impacts the following versions of the software –
While there is no evidence that the vulnerability is being maliciously exploited in real-world attacks, a prior security flaw in the software (CVE-2017-5638, CVSS score: 10.0) was weaponized by threat actors to breach consumer credit reporting agency Equifax in 2017.
Source: https://thehackernews.com/
