CVE-2019-0233

Vulnerability

Description

CVE-2019-0233 is a vulnerability in Apache Struts 2, versions 2.0.0 to 2.5.20, where an access permission override during file upload can lead to a Denial of Service (DoS). The root cause is that stack-accessible values of types java.io.File and java.nio.File, as well as other classes from these packages, are not properly protected by the framework, allowing an attacker to manipulate the request to set the working copy of an uploaded file to read-only, or even make the Servlet container's temporary directory read-only [1][2].

Exploitation and

Impact

To exploit this, an attacker can perform a file upload to an Action that exposes the file via a getter. By crafting a malicious request, the attacker can override the permissions of the uploaded file's working copy, causing subsequent operations on that file to fail. In a more severe scenario, the attacker might set the Servlet container's temporary directory to read-only, which would cause all subsequent file upload actions in that container to fail, effectively resulting in a Denial of Service [2]. The attack requires the ability to upload a file to an affected Struts 2 application, but no authentication is explicitly required if the upload action is publicly accessible.

Mitigation and

Remediation

The vulnerability is fixed in Apache Struts 2.5.22, which excludes classes from java.io and java.nio from property evaluation by default, preventing the dangerous property manipulation [2]. Users are strongly advised to upgrade to version 2.5.22 or later. For those who cannot upgrade immediately, a workaround exists: add java.io. and java.nio. to the struts.excludedPackageNames constant in the struts-default.xml configuration file to block access to these packages [2].