Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser.
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Possible RCE when performing file upload based on Jakarta Multipart parser
Maximum security rating
Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10
Nike Zheng <nike dot zheng at dbappsecurity dot com dot cn>
It is possible to perform a RCE attack with a malicious
Content-Type value. If the
Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user.
If you are using Jakarta based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 18.104.22.168. You can also switch to a different implementation of the Multipart parser.
No backward incompatibility issues are expected.
Implement a Servlet filter which will validate
Content-Type and throw away request with suspicious values not matching
multipart/form-data. Other option is to remove the File Upload Interceptor from the stack, just define your own custom stack and set it as a default - please read How do we configure an Interceptor to be used with every Action.