See for yourself – run a scan on your code right now

Another year, another Apache Struts 2 vulnerability that can lead to a major data breach. You may remember Apache Struts 2 from previous security alerts, like CVE-2017-5638, CVE-2020-17530, and CVE-2021-31805. When threat actors can find a vulnerability in the open-source web application framework, they immediately seek to create exploits. Typically, developers use the model-view-control (MVC) framework to build user interfaces for Java-based web applications. 

Whether you love or hate Struts 2, the newly identified vulnerability, CVE-2023-50164, has the potential to wreak havoc on your life unless you know what to look for and how attackers are using the vulnerability. 

An Overview of CVE-2023-50164

Originally published on December 7, 2023, the National Vulnerability Database updated its entry on December 14th. 

The affected versions are:

  • Apache Struts 2.0.0 – 2.5.33
  • Apache Struts 6.0.0 -

What attackers can do with the vulnerability:

  • Manipulate file load parameters as part of path traversal
  • Upload malicious files to perform RCE

The CVE listing links to CWE-552 Files or Directories Accessible to External Parties.

Essentially, attackers can place malicious code into uploaded file content into directories or other locations that should require authorization for access. When remotely executed by the attacker, the malicious code enables them to bypass server-side security mechanisms. 

Understanding Exploits

Since the announcement, two different security research teams have published explanations showing how attackers can exploit the vulnerability. 

Steps in an Attack

The typical attack pattern would follow these general steps:

  • Reconnaissance to identify website or web application using the vulnerable Apache Struts version
  • Creation of malicious file
  • Creation of file upload file request containing path traversal command that manipulates parameters by including file name and path
  • Uploading request to vulnerable server
  • Accessing uploaded malicious file through browser or script
  • Performing additional actions

Observed exploitation attempts

The researchers at TrendMicro provide some insight about how attackers can use the vulnerability, explaining that attackers can manipulate the parameters by changing values to upper or lower case, like swapping param1=”value1″ to Param1=”Value1″. This simple shift from lowercase to uppercase then overrides the internal file name variable. 

The researchers at Akamai identified several exploitation attempts that match the initial Proof of Concept (PoC) and deviate from it. While the researchers explain that the attempts are present in the wild, they note that those similar to the PoC exploit would require the targeted endpoint to possess file upload functionality, making it unlikely that the attackers would succeed. 

The researchers identified variants on the initial PoC that target the /s2/upload.action rather than the original /login.action. Again, the endpoints would need to have file upload functionality for the attackers to be successful. 

Steps for Mitigating Apache Struts 2 Exploit Risks

For developers, the primary risk that this vulnerability poses lies in the framework’s popularity rather than ease of exploitation. To undermine security, the application needs to:

  • Use a vulnerable Struts version
  • Allow for multipart file uploads

Identify Vulnerable Apache Struts Versions

Your first step to mitigating risk is to identify all vulnerable versions of Apache Struts across your application and its dependencies. If you generate a reliable Software Bill of Materials (SBOM) that identifies all open source libraries and all CVEs, you can focus on only those containing a vulnerable Apache Struts version. 

Prioritize Based on Exploitability

Your application may use or have a component that uses a vulnerable version of Apache Struts. However, for attackers to leverage the vulnerability, your application needs to meet two specific requirements. Your vulnerability scanning should incorporate:

  • Real world threat information
  • Details about how attackers are exploiting this vulnerability in the wild
  • Insight into whether attackers can use the vulnerability within your source code’s unique context

Apply Patches 

If you identify a vulnerable Apache Struts 2 version, you should update the affected system to either:

  • 2.5.33
  • or greater

Enumerate Components that Access User Input

As a best practice, you want to ensure that you check:

  • HTTP GET and POST queries
  • File uploads and HTML forms
  • Request parameters that could be used for file-related operations
  • Variable names that attackers might find interesting
  • Cookies that attackers could identify when the application generates pages or templates

Validate Inputs

Input validation means that you’re making sure the software component only accepts appropriately formatted data. Essentially, with CVE-2023-50164, the application accepts the parameters as either uppercase or lowercase, but the difference between them allows attackers to change how the program functions. 

By validating inputs, you ensure that the application only accepts the format that you want. This way, attackers can’t simply swap uppercase for lowercase to execute the attack. 

QwietAI: Mitigate Risk by Identifying Apache Struts 2 Vulnerabilities

Quiet AI’s preZero platform enables you to identify and remediate your application’s most critical and impactful vulnerabilities. Our proprietary Code Property Graph (CPG) breaks code down into its fundamental parts while correlating them with data flows so that you can identify the vulnerabilities attackers are most capable of exploiting within your source code’s context. With Qwiet Blacklight, the only threat intelligence feed focused on application security, you gain visibility into real-world attacks actively targeting vulnerabilities, enabling you to enhance your prioritization strategies. 

Try Qwiet AI’s preZero platform for free to see how it can help you mitigate JavaScript vulnerabilities and speed time-to-market.

About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit:


See for yourself – run a scan on your code right now