CVE-2023-50164: Apache Struts vulnerable to path traversal
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.99754%
CWE
Published
12/7/2023
Updated
2/13/2025
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.struts:struts2-core | maven | >= 6.0.0, < 6.3.0.2 | 6.3.0.2 |
org.apache.struts:struts2-core | maven | >= 2.0.0, < 2.5.33 | 2.5.33 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from case-sensitive parameter handling in HttpParameters
class. The commit shows critical changes making parameter operations case-insensitive: 1) get()
was modified to use equalsIgnoreCase
, 2) contains()
added case-insensitive iteration, 3) remove()
added case-aware iterator removal, and 4) appendAll()
gained case-aware cleanup. These functions previously allowed attackers to bypass security checks by manipulating parameter casing, enabling path traversal through specially crafted upload parameters. The added test cases in HttpParametersTest.java
explicitly verify the case-insensitive behavior, confirming these were the vulnerable points.
Vulnerable functions
org.apache.struts2.dispatcher.HttpParameters.get
core/src/main/java/org/apache/struts2/dispatcher/HttpParameters.java
The get() method performed case-sensitive parameter key lookups, allowing attackers to bypass validation by varying parameter name casing. This enabled path traversal via manipulated upload parameters.
org.apache.struts2.dispatcher.HttpParameters.contains
core/src/main/java/org/apache/struts2/dispatcher/HttpParameters.java
The contains() method used case-sensitive checks, failing to detect malicious parameters with case variations. This allowed unauthorized parameter manipulation.
org.apache.struts2.dispatcher.HttpParameters.remove
core/src/main/java/org/apache/struts2/dispatcher/HttpParameters.java
The remove() method only deleted exact case matches, leaving behind parameters with different casing that could be exploited for path traversal.
org.apache.struts2.dispatcher.HttpParameters.appendAll
core/src/main/java/org/apache/struts2/dispatcher/HttpParameters.java
Prior to the patch, appendAll() didn't properly handle case conflicts when merging parameters, enabling parameter injection through case variation.