Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2023-50164

CVE-2023-50164: Apache Struts RCE Vulnerability

CVE-2023-50164 is a remote code execution flaw in Apache Struts caused by file upload parameter manipulation enabling path traversal. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2023-50164 Overview

CVE-2023-50164 is a critical path traversal vulnerability in Apache Struts that allows attackers to manipulate file upload parameters, enabling directory traversal attacks. Under certain circumstances, this vulnerability can be exploited to upload malicious files, which can then be leveraged to achieve Remote Code Execution (RCE) on affected systems.

Apache Struts is a widely-used open-source framework for developing Java web applications. Given its extensive deployment in enterprise environments, this vulnerability poses significant risk to organizations relying on vulnerable versions of the framework.

Critical Impact

Successful exploitation allows unauthenticated remote attackers to upload malicious files and execute arbitrary code on vulnerable Apache Struts servers, potentially leading to complete system compromise.

Affected Products

  • Apache Struts versions prior to 2.5.33
  • Apache Struts versions prior to 6.3.0.2
  • All web applications built on vulnerable Apache Struts versions

Discovery Timeline

  • 2023-12-07 - CVE-2023-50164 published to NVD
  • 2025-02-13 - Last updated in NVD database

Technical Details for CVE-2023-50164

Vulnerability Analysis

This vulnerability exists within the file upload functionality of Apache Struts. The framework fails to properly validate and sanitize file upload parameters, allowing attackers to manipulate path-related parameters during the file upload process. This improper handling enables path traversal sequences (such as ../) to escape intended upload directories.

The attack exploits weaknesses in how Struts processes multipart file upload requests. By crafting specially designed HTTP requests with manipulated filename parameters, an attacker can write files to arbitrary locations on the server's filesystem. When combined with the ability to control file contents, this creates a direct pathway to Remote Code Execution by uploading executable server-side code (such as JSP files) to web-accessible directories.

This vulnerability is classified under CWE-552 (Files or Directories Accessible to External Parties), highlighting the core issue of improper access control over file system resources. The vulnerability requires no authentication and can be exploited remotely over the network, making it particularly dangerous for internet-facing Struts applications.

Root Cause

The root cause of CVE-2023-50164 lies in insufficient input validation within the Apache Struts file upload mechanism. The framework fails to adequately sanitize user-controlled parameters that influence file storage paths during multipart form data processing. Specifically, the vulnerability allows path traversal sequences to bypass intended directory restrictions, enabling files to be written outside of designated upload directories.

The insufficient validation of upload parameters permits attackers to manipulate the destination path where uploaded files are stored, circumventing the intended security controls that should confine uploads to specific directories.

Attack Vector

The attack is carried out remotely over the network without requiring authentication. An attacker targets the file upload functionality of a Struts-based web application by crafting malicious HTTP multipart requests.

The exploitation process involves:

  1. Identifying a Struts application with file upload capabilities
  2. Crafting HTTP requests with manipulated file upload parameters containing path traversal sequences
  3. Uploading a malicious payload (such as a JSP web shell) that gets written to a web-accessible directory
  4. Accessing the uploaded malicious file through the web server to trigger code execution

Proof-of-concept exploits are publicly available, significantly lowering the barrier to exploitation. The Packet Storm security advisory and GitHub PoC repository provide detailed technical information on exploitation techniques.

Detection Methods for CVE-2023-50164

Indicators of Compromise

  • Unexpected files appearing in web-accessible directories, particularly JSP or other executable files
  • HTTP requests to file upload endpoints containing path traversal sequences (../, ..%2f, etc.) in filename parameters
  • Web shell artifacts or unauthorized executable files in application directories
  • Anomalous file system write operations to directories outside designated upload locations

Detection Strategies

  • Monitor HTTP traffic for multipart form requests containing path traversal patterns in Content-Disposition headers or filename fields
  • Implement web application firewall (WAF) rules to detect and block requests with directory traversal sequences in upload parameters
  • Deploy file integrity monitoring on web application directories to detect unauthorized file additions
  • Review web server access logs for requests to newly created files in unexpected locations

Monitoring Recommendations

  • Enable detailed logging for file upload operations including full request parameters and resulting file paths
  • Configure alerts for any file writes outside designated upload directories
  • Monitor for execution of newly created files in web-accessible paths
  • Implement network-level monitoring for POST requests with anomalous Content-Disposition values

How to Mitigate CVE-2023-50164

Immediate Actions Required

  • Upgrade Apache Struts immediately to version 2.5.33 or 6.3.0.2 or greater
  • Audit all Struts-based applications to identify vulnerable instances
  • Review web server directories for any unauthorized or suspicious files that may indicate prior compromise
  • Implement network segmentation to limit exposure of vulnerable applications while patching

Patch Information

Apache has released security patches addressing this vulnerability. Users are strongly recommended to upgrade to the following fixed versions:

  • Struts 2.x: Upgrade to version 2.5.33 or later
  • Struts 6.x: Upgrade to version 6.3.0.2 or later

For detailed information, refer to the Apache Security Advisory. Additional vendor guidance is available from the NetApp Security Advisory for environments running affected NetApp products.

Workarounds

  • Deploy a Web Application Firewall (WAF) with rules to block requests containing path traversal sequences in file upload parameters
  • Restrict file upload functionality to authenticated users only where possible
  • Implement strict whitelist validation on uploaded file types and names at the application level
  • Consider temporarily disabling file upload functionality for critical applications until patches can be applied
bash
# Example WAF rule pattern for ModSecurity to block path traversal in uploads
SecRule REQUEST_HEADERS:Content-Disposition "@rx \.\./" \
    "id:50164,phase:2,deny,status:403,msg:'CVE-2023-50164 Path Traversal Attempt'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne