A new vulnerability found in the Apache Struts 2 framework has received a critical severity rating from NIST’s national database. Credit: Gerd Altmann A new vulnerability in the Struts 2 web application framework can potentially enable a remote attacker to execute code on systems running apps based on earlier versions of the software. The vulnerability, announced this week by Apache, involves a potential attacker manipulating file upload parameters in what is referred to as a path traversal attack. Path traversal is a broad term, according to Akamai senior security researcher Sam Tinklenberg. “In this case, the use of path traversals allows an attacker to upload a malicious file, most likely a webshell, outside of the normal upload directory,” he said. “The exact location will differ from application to application and must be a valid path which can be accessed from the internet.” The flaw affects only older versions of the Struts 2 framework, and upgrading to versions 2.5.33, 6.3.0.2 or greater should eliminate the possibility of exploitation. It was first reported by researcher Steven Seeley. Struts’ maintainers at the Apache Software Foundation urged users to patch immediately, saying that the update is “a drop-in replacement, and upgrade should be straightforward.” Adding urgency to the need to patch is the news that proof of concept code has been spotted in the wild. A post from the Shadowserver Foundation, a nonprofit security group that bills itself as a leading reporter and tracker of malicious internet activity, on X (formerly Twitter), said that PoC code has been seen on sensors. Struts 2 is a widely used framework for the development of enterprise web applications, and as such, it’s a common target for cybercriminals, according to Tinklenberg. He noted, however, that there the PoC code being seen in the wild is mostly generic scanning, and doesn’t currently represent an imminent threat. “For this exploit to be successful, the attack request needs to be tailored to the underlying web application,” he said. “It is not likely, the path and parameter used in the POC [must] exist in a real-world deployment or have the required file upload functionality.” Vulnerabilities in the Struts 2 framework were at the root of the infamous Equifax breach in March 2017, which saw the personal information of hundreds of millions of people compromised and brought widespread criticism for Equifax. The company was forced to pay more than half a billion dollars in litigation settlements and fines. Related content news Google ups bug bounties for ‘high quality’ Chrome hunters Security researchers can now earn a quarter million dollars reporting high-impact memory corruption vulnerabilities in Chrome. By CSO Staff and Mikael Markander 29 Aug 2024 3 mins Vulnerabilities news Critical plugin flaw opens over a million WordPress sites to RCE attacks The multilingual plugin is hit with a critical bug that can allow complete site compromise through remote code execution. By Shweta Sharma 28 Aug 2024 3 mins Vulnerabilities feature Is the vulnerability disclosure process glitched? How CISOs are being left in the dark Better communication and collaboration between researchers and vendors and improved bug reporting mechanisms could help address confusing and sometimes wholly suppressed bug reports. By Cynthia Brumfield 26 Aug 2024 10 mins CSO and CISO Threat and Vulnerability Management Data and Information Security news WordPress users not on Windows urged to update due to critical LiteSpeed Cache flaw Updating to version 6.4 or higher will prevent exploitation of the vulnerability that allows attacker to gain admin access. By Lynn Greiner 23 Aug 2024 3 mins Threat and Vulnerability Management Identity and Access Management Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe