Files or Directories Accessible to External Parties in org.apache.struts:struts2-assembly

CVE-2023-50164

org.apache.struts:struts2-assembly
org.apache.struts:struts2-core
org.apache.struts:struts2-parent

High

9.8/10

Summary

An attacker can manipulate file upload params to enable path traversal and under some circumstances, this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts versions prior to 2.5.33, and 6.x prior to 6.3.0.2.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-552 - Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.

References

Advisory
Advisory
Mail Thread

Advisory Timeline

Published Dec 07, 2023

Files or Directories Accessible to External Parties in org.apache.struts:struts2-assembly

CVE-2023-50164

Summary

CWE-552 - Files or Directories Accessible to External Parties

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS