Seriously, people - please check the stuff you fetch more carefully
December 21, 2023 By Connor Jones
Security vendor Sonatype believes developers are failing to address the critical remote code execution (RCE) vulnerability in the Apache Struts 2 framework, based on recent downloads of the code.
The vulnerability, tracked as CVE-2023-50164, is rated 9.8 out of 10 in terms of CVSS severity. It is a logic bug in the framework's file upload feature: if an application uses Struts 2 to allow users to upload files to a server, those folks can abuse the vulnerability to save documents where they shouldn't be allowed to on that remote machine. Thus someone could, for instance, use the flaw to upload a webshell script to a web server, and access it to take control of or get a foothold on that system.
The consequences of successful exploitation could be hugely damaging: think data theft, malware infections, network intrusion, and that sort of thing.
