SummaryFile upload logic is flawed, and allows an attacker to enable paths with traversals
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Remote Code Execution
Maximum security rating
Upgrade to Struts 2.5.33 or Struts 18.104.22.168 or greater
Struts 2.0.0 - Struts 2.3.37 (EOL), Struts 2.5.0 - Struts 2.5.32, Struts 6.0.0 - Struts 6.3.0
Steven Seeley of Source Incite
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
Upgrade to Struts 2.5.33, 22.214.171.124 or greater.
No issues expected when upgrading to Struts 2.5.33 or 126.96.36.199