Last updated on December 19, 2024 at 01:03 pm
We’re aware of a critical vulnerability in Apache Struts 2, which is an open-source model-view-controller (MVC) framework for creating Java web applications.
This is an ‘Unrestricted Upload of File with Dangerous Type’ vulnerability (CVSSv4 score of 9.5) that exists in the file upload interceptor, which allows developers easy access to file upload support.
If this vulnerability is exploited, a remote unauthenticated attacker could traverse system paths, upload malicious files and perform remote code execution (RCE).
Remediation advice
If your school uses Apache Struts 2 we recommend you check this Apache bulletin, which advises you to upgrade to Apache Struts version 6.4.0 or higher, and migrate to the new file upload mechanism for continued functionality.
For more information please refer to: https://www.cert.govt.nz/advisories/vulnerability-affecting-apache-struts2/