cve/2023/CVE-2023-50164.md

### [CVE-2023-50164](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50164)
![](https://img.shields.io/static/v1?label=Product&message=Apache%20Struts&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=2.0.0%3C%3D%202.5.32%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-552%20Files%20or%20Directories%20Accessible%20to%20External%20Parties&color=brighgreen)

### Description

An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.

### POC

#### Reference
- http://packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-Code-Execution.html

#### Github
- https://github.com/AsfandAliMemon25/CVE-2023-50164Analysis-
- https://github.com/Marco-zcl/POC
- https://github.com/Thirukrishnan/CVE-2023-50164-Apache-Struts-RCE
- https://github.com/Threekiii/CVE
- https://github.com/Trackflaw/CVE-2023-50164-ApacheStruts2-Docker
- https://github.com/aaronm-sysdig/cve-2023-50164
- https://github.com/bcdannyboy/CVE-2023-50164
- https://github.com/d4n-sec/d4n-sec.github.io
- https://github.com/dwisiswant0/cve-2023-50164-poc
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://github.com/helsecert/cve-2023-50164
- https://github.com/henrikplate/struts-demo
- https://github.com/hetianlab/S2-066
- https://github.com/jakabakos/CVE-2023-50164-Apache-Struts-RCE
- https://github.com/mdisec/mdisec-twitch-yayinlari
- https://github.com/minhbao15677/CVE-2023-50164
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/snyk-labs/CVE-2023-50164-POC
- https://github.com/sunnyvale-it/CVE-2023-50164-PoC
- https://github.com/tanjiti/sec_profile
- https://github.com/wjlin0/poc-doc
- https://github.com/wy876/POC
- https://github.com/xingchennb/POC-
- https://github.com/yijinglab/S2-066
-												Update Sat May 25 21:48:12 CEST 2024

											
										
										
											2024-05-25 21:48:12 +02:00
+								### [CVE-2023-50164](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50164)
 								![](https://img.shields.io/static/v1?label=Product&message=Apache%20Struts&color=blue)
 								![](https://img.shields.io/static/v1?label=Version&message=2.0.0%3C%3D%202.5.32%20&color=brighgreen)
 								![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-552%20Files%20or%20Directories%20Accessible%20to%20External%20Parties&color=brighgreen)
 								### Description
 								An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.
 								### POC
 								#### Reference
 								- http://packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-Code-Execution.html
 								#### Github
-												Update CVE sources 2024-05-28 08:49

											
										
										
											2024-05-28 08:49:17 +00:00
+								- https://github.com/AsfandAliMemon25/CVE-2023-50164Analysis-
-												Update Sat May 25 21:48:12 CEST 2024

											
										
										
											2024-05-25 21:48:12 +02:00
+								- https://github.com/Marco-zcl/POC
 								- https://github.com/Thirukrishnan/CVE-2023-50164-Apache-Struts-RCE
 								- https://github.com/Threekiii/CVE
 								- https://github.com/Trackflaw/CVE-2023-50164-ApacheStruts2-Docker
 								- https://github.com/aaronm-sysdig/cve-2023-50164
 								- https://github.com/bcdannyboy/CVE-2023-50164
 								- https://github.com/d4n-sec/d4n-sec.github.io
 								- https://github.com/dwisiswant0/cve-2023-50164-poc
 								- https://github.com/fkie-cad/nvd-json-data-feeds
 								- https://github.com/helsecert/cve-2023-50164
 								- https://github.com/henrikplate/struts-demo
 								- https://github.com/hetianlab/S2-066
 								- https://github.com/jakabakos/CVE-2023-50164-Apache-Struts-RCE
-												Update CVE sources 2024-05-28 08:49

											
										
										
											2024-05-28 08:49:17 +00:00
+								- https://github.com/mdisec/mdisec-twitch-yayinlari
 								- https://github.com/minhbao15677/CVE-2023-50164
-												Update Sat May 25 21:48:12 CEST 2024

											
										
										
											2024-05-25 21:48:12 +02:00
+								- https://github.com/nomi-sec/PoC-in-GitHub
 								- https://github.com/snyk-labs/CVE-2023-50164-POC
 								- https://github.com/sunnyvale-it/CVE-2023-50164-PoC
 								- https://github.com/tanjiti/sec_profile
-												Update CVE sources 2024-05-28 08:49

											
										
										
											2024-05-28 08:49:17 +00:00
+								- https://github.com/wjlin0/poc-doc
-												Update Sat May 25 21:48:12 CEST 2024

											
										
										
											2024-05-25 21:48:12 +02:00
+								- https://github.com/wy876/POC
 								- https://github.com/xingchennb/POC-
-												Update CVE sources 2024-05-28 08:49

											
										
										
											2024-05-28 08:49:17 +00:00
+								- https://github.com/yijinglab/S2-066
-												Update Sat May 25 21:48:12 CEST 2024

											
										
										
											2024-05-25 21:48:12 +02:00