Apache Software Foundation wants users to update the Commons FileUpload library as soon as possible for those running Apache Struts 2.3.x to close a serious vulnerability.
That vulnerability could end up used to leverage a remote code execution attack.
Apache Struts 2 is an open source web application framework for developing Java EE web applications. The Commons FileUpload library adds file upload capabilities to servlets and web applications.
The vulnerability, which has a case number of CVE-2016-1000031, is present in Commons FileUpload versions before 1.3.3, and arose due to the inclusion of a Java Object that can be manipulated to write or copy files to disk in arbitrary locations.
The vulnerability is present in Apache Struts 2.3.x because it uses the vulnerable version of the library (v1.3.2).
Those who run Struts 2.5.x are not affected because it includes the patched version of the library.