Security Bloggers Network Vulnerabilities

Home » Cybersecurity » Threats & Breaches » Vulnerabilities » CVE-2023-50164: Another vulnerability in the widely used Apache Struts2 component

CVE-2023-50164: Another vulnerability in the widely used Apache Struts2 component

by Jeff Wayman on December 14, 2023

Yet another remote code execution vulnerability in Apache’s Struts2 Framework has been discovered, leaving many with strong feelings of Deja Vu. If you’re a developer, it’s not unreasonable to be concerned about how you may spend the final weeks of 2023.

Unfortunately, the recent identification of CVE-2023-50164 in Apache Struts is similar to other vulnerabilities we’ve seen in the past, most notably the high-profile cybersecurity Struts2 vulnerability in 2017 that impacted Equifax, Log4Shell (Log4j), which came at the end of 2021, and Spring4Shell that followed shortly after.

Note: Sonatype customers using Sonatype Repository Firewall and Sonatype Lifecycle are protected from this issue. Sonatype security research conducted a deep dive analysis into the issue as it surfaced.

Understanding CVE-2023-50164

At its core, this vulnerability allows attackers to exploit a flaw in Apache Struts’ file upload system. It lets them manipulate the file upload parameters and perform path traversal. This exploitation can result in arbitrary code execution on the server, leading to various outcomes like unauthorized data access, system compromise, or even complete control over the affected systems, including placing malicious files within systems.

Taking a closer look, CVE-2023-50164 involves a vulnerability in the file upload mechanism of Apache Struts. For a non-technical audience, imagine a scenario where a security checkpoint (the file upload mechanism) is bypassed due to a loophole, allowing unauthorized access to secure areas (the server). From a technical perspective, the vulnerability lies in how Apache Struts handles a component called MultiPartRequestWrapper during file uploads. Attackers can manipulate this process to achieve path traversal, which allows them to overwrite arbitrary files, which may lead to executing arbitrary code on the server, config changes, etc.

Unique Potential Requires Quick Action

The discovery of CVE-2023-50164 has significant real-world implications. For various sectors relying on Apache Struts, the risks (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Jeff Wayman. Read the original post at: https://blog.sonatype.com/cve-2023-50164-another-vulnerability-in-the-widely-used-apache-struts2-component

December 14, 2023March 14, 2026 Jeff Wayman Apache Struts2, DevZone, malware prevention, Vulnerabilities

CVE-2023-50164: Another vulnerability in the widely used Apache Struts2 component

Understanding CVE-2023-50164

Unique Potential Requires Quick Action

Senator Sanders Wants to Own AI Companies — and Hand America’s Adversaries the Keys

NIST’s Nine: The PQC Signature Race Moves to Round Three

The Quantum Arms Race: Why Washington Just Wrote a $2 Billion Check to Nine Companies

Beyond Moore’s Law: The Hyper-Acceleration of Autonomous AI Cyber Capabilities

The Exception Economy: When Security Teams Stop Protecting and Start Negotiating

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

Zama Raises $73M in Series A Lead by Multicoin Capital and Protocol Labs to Commercialize Fully Homomorphic Encryption

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

ThreatHunter.ai Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On

Randall Munroe’s XKCD ‘Horizontal Stabilizers’