A remote code execution vulnerability affecting the default Jakarta Multipart parser in Apache Struts has recently been disclosed.
This vulnerability allows an attacker to execute code on the server by modifying the Content-Type value during a file upload. Successful exploitation allows the attacker to run system commands, including downloading and executing malicious payloads.
Additional information can be found at:
- If you are using the Jakarta file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 18.104.22.168.
- If you are unable to update, there are a couple of workarounds available:
- Switch to a different implementation of the Multipart parser such as the Pell Multipart plugin.
- Implement a Servlet filter, which validates the Content-Type value and discards suspicious values not matching multipart/form-data.
- Struts 2.3.5 – Struts 2.3.31
- Struts 2.5 – Struts 2.5.10
The Apache Foundation has released Struts 22.214.171.124 and 2.3.32 which are not vulnerable and are available for download at the link below: