According to an Apache security advisory, the popular framework Apache Struts 2 used for web application development is affected by a critical remote code execution vulnerability (RCE) - tracked as CVE-2023-50164 - impacting the following products:
Struts 2.0.0
Struts 2.3.37 (EOL)
Struts 2.5.0
Struts 2.5.32
Struts 6.0.0
Struts 6.3.0
The vulnerability enables a potential remote attacker to manipulate file upload parameters in such a way to upload arbitrary files and potentially achieve RCE. This flaw may be exploited to install malware, and has potential to affect the confidentiality, integrity and availability of any data on the system.
Apache notes there are no workarounds. The only available and effective remediation is upgrading to Struts 2.5.33, 6.3.0.2 or greater.
There are presently no reports of exploitation in the wild; however, given the popularity of this application and the publicity of this vulnerabilities, the threat landscape around this vulnerability should be considered highly fluid.