Apache Struts 2.3.36 and Earlier Vulnerable to Remote Code Execution
Apache is advising users and administrators of Apache Struts 2.3.36 and prior to immediately upgrade to the latest version of Commons FileUpload library, 1.3.3. A vulnerability exists that could allow a threat actor to perform remote code execution. Struts versions 2.5.12 and later are not affected as they are already using the latest version of Commons FileUpload library. The NJCCIC recommends reviewing the Apache security advisory and immediately upgrading systems to Apache 2.5.12 or later, or to Commons FileUpload library version 1.3.3.