Apache Struts2 Commons FileUpload Deserialization Remote Code Execution Vulnerability (CVE-2016-100031)Threat Alert
novembro 16, 2018
Vulnerability Overview
Recently, Apache Software Foundation (ASF) has released a security advisory to strongly advise users of Apache Struts2.3.X to upgrade the Apache Commons FileUpload component. Struts 2.3.x, by default, uses the Commons FileUpload component of V1.3.2. Early in 2016, this component of V1.3.2 is disclosed to contain a deserialization vulnerability (CVE-2016-100031) which could result in arbitrary code execution.
Commons is a Java subproject of ASF and FileUpload is a subproject for handling HTTP file uploads. The Commons FileUpload component is mainly used to assist developers in implementing the web file upload function.
