Unrestricted Upload of File with Dangerous Type in Apache Struts2
High severity
GitHub Reviewed
Published
Apr 23, 2022
to the GitHub Advisory Database
•
Updated Feb 13, 2023
Package
Affected versions
>= 2.0, < 2.5.22
Patched versions
2.5.22
Description
Published by the National Vulnerability Database
Dec 5, 2019
Published to the GitHub Advisory Database
Apr 23, 2022
Reviewed
Jul 13, 2022
Last updated
Feb 13, 2023
A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files. A patch exists as of version 2.5.22.
References