Описание
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.
A flaw was found in Apache Struts. Affected versions of this package are vulnerable to Remote Code Execution (RCE) via manipulation of file upload parameters that enable path traversal. Under certain conditions, uploading a malicious file is possible, which may then be executed on the server.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | org.apache.struts-struts-core | Not affected | ||
| Migration Toolkit for Applications 6 | org.apache.struts-struts-core | Not affected | ||
| Migration Toolkit for Runtimes | org.apache.struts-struts-core | Not affected | ||
| OpenShift Serverless | org.apache.struts-struts-core | Not affected | ||
| Red Hat AMQ Broker 7 | org.apache.struts-struts-core | Not affected | ||
| Red Hat build of Apache Camel for Spring Boot 3 | org.apache.struts-struts-core | Not affected | ||
| Red Hat build of Debezium 2 | org.apache.struts-struts-core | Not affected | ||
| Red Hat Build of Keycloak | org.apache.struts-struts-core | Not affected | ||
| Red Hat build of OptaPlanner 8 | org.apache.struts-struts-core | Not affected | ||
| Red Hat build of Quarkus | org.apache.struts/struts-core | Not affected |
Показывать по
Дополнительная информация
Статус:
9.8 Critical
CVSS3
Связанные уязвимости
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.
An attacker can manipulate file upload params to enable paths traversa ...
Уязвимость программной платформы Apache Struts, связанная с использованием файлов и каталогов, доступных внешним сторонам, позволяющая нарушителю выполнить произвольный код
9.8 Critical
CVSS3