https://cve.circl.lu/comments/feed Most recent comment. 2024-12-22T18:06:27.135720+00:00 Vulnerability Lookup info@circl.lu python-feedgen Contains only the most 10 recent comments. https://cve.circl.lu/comment/a459b3c2-e2f0-467e-8fe5-e7c2b47a9fe3 CVE-2023-50164 - Rapid7 analysis 2024-12-22T18:06:27.143395+00:00 Alexandre Dulaunoy http://cve.circl.lu/user/adulau Reference - [https://attackerkb.com/topics/pe3CCtOE81/cve-2023-50164/rapid7-analysis](https://attackerkb.com/topics/pe3CCtOE81/cve-2023-50164/rapid7-analysis) [Apache Struts](https://struts.apache.org/) is a popular Java web application framework. On December 7, 2023 Apache [published an advisory](https://www.openwall.com/lists/oss-security/2023/12/07/1) for [CVE-2023-50164](https://nvd.nist.gov/vuln/detail/CVE-2023-50164), a Struts parameter pollution vulnerability that potentially leads to arbitrary file uploads. An attacker with the ability to perform arbitrary file uploads is very likely to be able to leverage this and achieve remote code execution. According [to the vendor](https://cwiki.apache.org/confluence/display/WW/S2-066), the following versions of Struts are affected: * Struts 2.0.0 – Struts 2.3.37 (End of Life) * Struts 2.5.0 – Struts 2.5.32 * Struts 6.0.0 – Struts 6.3.0 Several technical analyses on the root cause of the vulnerability have already been done ([here](https://trganda.github.io/notes/security/vulnerabilities/apache-struts/Apache-Struts-Remote-Code-Execution-Vulnerability-\(-S2-066-CVE-2023-50164\)), [here](https://xz.aliyun.com/t/13172), and [here](https://github.com/jakabakos/CVE-2023-50164-Apache-Struts-RCE)). Notably, all current public analysis of the vulnerability demonstrates exploitation on a custom made demo web application. **There are currently no known production web applications that are exploitable**, although this is likely to change as the vulnerability comes under more scrutiny from researchers, and given the popularity of the Struts framework in enterprise web applications. Several security firms have reported exploitation ([here](https://twitter.com/akamai_research/status/1735049812746137929) and [here](https://twitter.com/shadowserver/status/1734919288257974380)), but as of December 15, 2023, it is unclear if the activity being reported actually refers to successful exploitation (i.e., code execution) against one or more known vulnerable targets, or if this is merely highlighting exploit attempts with the existing public PoCs (all of which target a demo application) being sprayed opportunistically at indiscriminate targets. However, exploitation of this vulnerability will be target-specific based on the differing target action’s endpoints, the naming convention of the expected uploaded file name, and any other target-specific restrictions that may need to be overcome. # Remediation Vendors who develop applications that use Apache Struts should upgrade to Struts 2.5.33, Struts 6.3.0.2, or greater to remediate CVE-2023-50164. 2024-12-19T05:38:18.769241+00:00