Miggo Logo

CVE-2023-50164: Apache Struts vulnerable to path traversal

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.99754%
Published
12/7/2023
Updated
2/13/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.struts:struts2-coremaven>= 6.0.0, < 6.3.0.26.3.0.2
org.apache.struts:struts2-coremaven>= 2.0.0, < 2.5.332.5.33

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from case-sensitive parameter handling in HttpParameters class. The commit shows critical changes making parameter operations case-insensitive: 1) get() was modified to use equalsIgnoreCase, 2) contains() added case-insensitive iteration, 3) remove() added case-aware iterator removal, and 4) appendAll() gained case-aware cleanup. These functions previously allowed attackers to bypass security checks by manipulating parameter casing, enabling path traversal through specially crafted upload parameters. The added test cases in HttpParametersTest.java explicitly verify the case-insensitive behavior, confirming these were the vulnerable points.

Vulnerable functions

org.apache.struts2.dispatcher.HttpParameters.get
core/src/main/java/org/apache/struts2/dispatcher/HttpParameters.java
The get() method performed case-sensitive parameter key lookups, allowing attackers to bypass validation by varying parameter name casing. This enabled path traversal via manipulated upload parameters.
org.apache.struts2.dispatcher.HttpParameters.contains
core/src/main/java/org/apache/struts2/dispatcher/HttpParameters.java
The contains() method used case-sensitive checks, failing to detect malicious parameters with case variations. This allowed unauthorized parameter manipulation.
org.apache.struts2.dispatcher.HttpParameters.remove
core/src/main/java/org/apache/struts2/dispatcher/HttpParameters.java
The remove() method only deleted exact case matches, leaving behind parameters with different casing that could be exploited for path traversal.
org.apache.struts2.dispatcher.HttpParameters.appendAll
core/src/main/java/org/apache/struts2/dispatcher/HttpParameters.java
Prior to the patch, appendAll() didn't properly handle case conflicts when merging parameters, enabling parameter injection through case variation.

WAF Protection Rules

WAF Rule

*n *tt**k*r **n m*nipul*t* *il* uplo** p*r*ms to *n**l* p*t*s tr*v*rs*l *n* un**r som* *ir*umst*n**s t*is **n l*** to uplo**in* * m*li*ious *il* w*i** **n ** us** to p*r*orm R*mot* *o** *x**ution. Us*rs *r* r**omm*n*** to up*r*** to v*rsions Struts *

Reasoning

T** vuln*r**ility st*mm** *rom **s*-s*nsitiv* p*r*m*t*r **n*lin* in `*ttpP*r*m*t*rs` *l*ss. T** *ommit s*ows *riti**l ***n**s m*kin* p*r*m*t*r op*r*tions **s*-ins*nsitiv*: *) `**t()` w*s mo*i*i** to us* `*qu*lsI*nor***s*`, *) `*ont*ins()` ***** **s*-