By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2023-49735

Path Traversal
Affects
Apache Struts
<1.3.10, >=2.0.0
in
Struts
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Apache Struts is a popular open-source web application framework for developing Java EE web applications. It provides robust support for creating modern Java-based enterprise applications. 

A Path Traversal vulnerability (CVE-2023-49735) has been reported in Apache Struts, which allows attackers to manipulate input to cause a Denial of Service.

A Path Traversal vulnerability occurs when an attacker is able to manipulate file or directory paths in an application to gain unauthorized access to files or directories outside the intended directory. This typically happens when user input is not properly sanitized or validated, allowing attackers to use sequences like ../ to navigate the file system. The implications of a Path Traversal vulnerability are severe, as it can lead to unauthorized access to sensitive files, data leakage, system compromise, or further exploitation of the system, depending on the application’s privileges and access controls..

This issue affects multiple versions of Apache Struts Tiles.

Details

Module Info

Vulnerability Info

The DefaultLocaleResolver.LOCALE_KEY attribute on the session was not properly validated when resolving XML definition files. This oversight allowed for potential path traversal vulnerabilities, which could lead to Server-Side Request Forgery (SSRF) or XML External Entity (XXE) attacks when user-controlled data was passed to this key. This vulnerability was particularly concerning as the key was commonly used for setting the language in applications, such as the 'tiles-test' application bundled with Tiles, making the issue more prevalent in real-world scenarios.

Credit

  • Joseph Beeton of Contrast Security

Mitigation

Users of the affected components should apply one of the following mitigations:

  • Upgrade to patched version

Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
CVE-2014-0094
CVE-2016-3081
CVE-2017-5638
CVE-2018-11776
CVE-2012-1007
CVE-2015-0899
CVE-2016-1181
CVE-2016-1182
CVE-2014-0114
CVE-2024-53677
CVE-2006-1546
CVE-2006-1547
CVE-2006-1548
CVE-2008-2025
CVE-2023-34396
CVE-2023-49735
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2023-49735
PROJECT Affected
Apache Struts
Versions Affected
<1.3.10, >=2.0.0
Published date
May 12, 2025
≈ Fix date
April 17, 2024
Fixed in
NES for Apache Struts
Severity
High
Category
Path Traversal
Sign up for the latest vulnerability alerts fixed in
NES for Apache Struts
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.