An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater toย fix this issue.
[
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.struts",
"product": "Apache Struts",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.5.32",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.0.1",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
}
]
}
]