Security
Headlines
HeadlinesLatestCVEs

Headline

New Critical RCE Vulnerability Discovered in Apache Struts 2 - Patch Now

Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution. Tracked as CVE-2023-50164, the vulnerability is rooted in a flawed “file upload logic” that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file

The Hacker News
#vulnerability#web#apache#java#rce#auth#The Hacker News

Vulnerability / Software Security

Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution.

Tracked as CVE-2023-50164, the vulnerability is rooted in a flawed “file upload logic” that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file and achieve execution of arbitrary code.

Struts is a Java framework that uses the Model-View-Controller (MVC) architecture for building enterprise-oriented web applications.

Steven Seeley of Source Incite has been credited with discovering and reporting the flaw, which impacts the following versions of the software -

  • Struts 2.3.37 (EOL)
  • Struts 2.5.0 - Struts 2.5.32, and
  • Struts 6.0.0 - Struts 6.3.0

Patches for the bug are available in versions 2.5.33 and 6.3.0.2 or greater. There are no workarounds that remediate the issue.

“All developers are strongly advised to perform this upgrade,” the project maintainers said in an advisory posted last week. “This is a drop-in replacement and upgrade should be straightforward.”

While there is no evidence that the vulnerability is being maliciously exploited in real-world attacks, a prior security flaw in the software (CVE-2017-5638, CVSS score: 10.0) was weaponized by threat actors to breach consumer credit reporting agency Equifax in 2017.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

Orgs Scramble to Fix Actively Exploited Bug in Apache Struts 2

A newly discovered vulnerability, CVE-2024-53677, in the aging Apache framework is going to cause major headaches for IT teams, since patching isn't enough to fix it.

November 2023 – January 2024: New Vulristics Features, 3 Months of Microsoft Patch Tuesdays and Linux Patch Wednesdays, Year 2023 in Review

Hello everyone! It has been 3 months since the last episode. I spent most of this time improving my Vulristics project. So in this episode, let’s take a look at what’s been done. Alternative video link (for Russia): https://vk.com/video-149273431_456239139 Also, let’s take a look at the Microsoft Patch Tuesdays vulnerabilities, Linux Patch Wednesdays vulnerabilities and […]

Google Fixes Nearly 100 Android Security Issues

Plus: Apple shuts down a Flipper Zero Attack, Microsoft patches more than 30 vulnerabilities, and more critical updates for the last month of 2023.

New ‘NKAbuse’ Linux Malware Uses Blockchain Technology to Spread

By Deeba Ahmed The malware, dubbed NKAbuse, uses New Kind of Network (NKN) technology, a blockchain-powered peer-to-peer network protocol to spread its infection. This is a post from HackRead.com Read the original post: New ‘NKAbuse’ Linux Malware Uses Blockchain Technology to Spread

New NKAbuse Malware Exploits NKN Blockchain Tech for DDoS Attacks

A novel multi-platform threat called NKAbuse has been discovered using a decentralized, peer-to-peer network connectivity protocol known as NKN (short for New Kind of Network) as a communications channel. "The malware utilizes NKN technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities," Russian

Recently-patched Apache Struts vulnerability used in worldwide attacks

A recently patched Apache Struts 2 vulnerability has been spotted in worldwide exploitation attempts. Users and admins should update ASAP.

Microsoft patches 34 vulnerabilities, including one zero-day

Microsoft and other vendors have released their rounds of December updates on or before patch Tuesday. Update now!

GHSA-2j39-qcjm-428w: Apache Struts vulnerable to path traversal

An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.

CVE-2023-50164

An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or  Struts 6.3.0.1 or greater to fix this issue.

Cyber Group 'Gold Melody' Selling Compromised Access to Ransomware Attackers

A financially motivated threat actor has been outed as an initial access broker (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware. SecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group Gold Melody, which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant). "This financially motivated

AppSec Playbook 2023: Study of 829M Attacks on 1,400 Websites

The total number of 61,000 open vulnerabilities, including 1,700 critical ones that have been open for 180+ days, exposes businesses to potential attacks.

CVE-2022-26482: Security Center

An issue was discovered in Poly EagleEye Director II before 2.2.2.1. os.system command injection can be achieved by an admin.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2017-3636: Oracle Critical Patch Update Advisory - July 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.56 and earlier and 5.6.36 and earlier. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

The Hacker News: Latest News

Rockstar2FA Collapse Fuels Expansion of FlowerStorm Phishing-as-a-Service