A vulnerability in Apache Struts 2 allows criminals to upload rogue files to servers. A patch is available; a workaround is not.
Apache Struts 2 is vulnerable to a bug that allows attackers to upload files to a server, and execute their own code. The vulnerability receives a CVSS score of 9.8. The bug is in the code dealing with the software’s upload capabilities. Attackers can play with parameters there to execute files on a server and take control.
Criticism without a workaround
The bug is called CVE-2023-50164 and is critical. There is no workaround available that can mitigate the problem. Consequently, the only solution is to install the latest patch. Apache Struts 2.5.33 or 6.3.0.2 are no longer susceptible to the problem.
Apache Struts 2 is no longer the most modern framework, but it remains very popular. A vulnerability in the solution can thus have far-reaching consequences. Anyone using Apache Struts 2 should not hesitate and should give the patch absolute priority. In any case, the misery involved is smaller than the problems when a hacker inevitably exploits the bug to gain access.