9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-50164

GHSA ID

GHSA-2j39-qcjm-428w

EPSS Score

0.99754%

CWE

CWE-552

Published

12/7/2023

Updated

2/13/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-50164

CVE-2023-50164: Apache Struts vulnerable to path traversal

An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-50164

GHSA ID

GHSA-2j39-qcjm-428w

EPSS Score

0.99754%

CWE

CWE-552

Published

12/7/2023

Updated

2/13/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.struts:struts2-core	maven	>= 6.0.0, < 6.3.0.2	6.3.0.2
org.apache.struts:struts2-core	maven	>= 2.0.0, < 2.5.33	2.5.33

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from case-sensitive parameter handling in HttpParameters class. The commit shows critical changes making parameter operations case-insensitive: 1) get() was modified to use equalsIgnoreCase, 2) contains() added case-insensitive iteration, 3) remove() added case-aware iterator removal, and 4) appendAll() gained case-aware cleanup. These functions previously allowed attackers to bypass security checks by manipulating parameter casing, enabling path traversal through specially crafted upload parameters. The added test cases in HttpParametersTest.java explicitly verify the case-insensitive behavior, confirming these were the vulnerable points.

Vulnerable functions

org.apache.struts2.dispatcher.HttpParameters.get

core/src/main/java/org/apache/struts2/dispatcher/HttpParameters.java

The get() method performed case-sensitive parameter key lookups, allowing attackers to bypass validation by varying parameter name casing. This enabled path traversal via manipulated upload parameters.

org.apache.struts2.dispatcher.HttpParameters.contains

core/src/main/java/org/apache/struts2/dispatcher/HttpParameters.java

The contains() method used case-sensitive checks, failing to detect malicious parameters with case variations. This allowed unauthorized parameter manipulation.

org.apache.struts2.dispatcher.HttpParameters.remove

core/src/main/java/org/apache/struts2/dispatcher/HttpParameters.java

The remove() method only deleted exact case matches, leaving behind parameters with different casing that could be exploited for path traversal.

org.apache.struts2.dispatcher.HttpParameters.appendAll

core/src/main/java/org/apache/struts2/dispatcher/HttpParameters.java

Prior to the patch, appendAll() didn't properly handle case conflicts when merging parameters, enabling parameter injection through case variation.

WAF Protection Rules

WAF Rule

*n *tt**k*r **n m*nipul*t* *il* uplo** p*r*ms to *n**l* p*t*s tr*v*rs*l *n* un**r som* *ir*umst*n**s t*is **n l*** to uplo**in* * m*li*ious *il* w*i** **n ** us** to p*r*orm R*mot* *o** *x**ution. Us*rs *r* r**omm*n*** to up*r*** to v*rsions Struts *

Reasoning

T** vuln*r**ility st*mm** *rom **s*-s*nsitiv* p*r*m*t*r **n*lin* in `*ttpP*r*m*t*rs` *l*ss. T** *ommit s*ows *riti**l ***n**s m*kin* p*r*m*t*r op*r*tions **s*-ins*nsitiv*: *) `**t()` w*s mo*i*i** to us* `*qu*lsI*nor***s*`, *) `*ont*ins()` ***** **s*-

9.8

Basic Information

Concerned about an active attack path?

CVE-2023-50164: Apache Struts vulnerable to path traversal

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI