NOTE: The published remediation of this alert is to upgrade to Apache Struts 2.5.12. There are CRITICAL vulnerabilities against version 2.5.12. It is the Vulnerability Management Team’s recommendation to upgrade to 2.5.17 or 2.5.18.
Discussion:
Apache Commons FileUpload contains a flaw that is triggered when an attacker uploads a file using the DiskFileItem class, which allows the attacker to specify the file's path. This can be leveraged to generate a Java payload that is written to disk and then deserialized, leading to remote code execution.
Recommended Remediation:
Immediately upgrade commons-fileupload to version 1.3.3 when running Struts 2.3.36 or prior
