File uploads Struts Vulnerability - CVE-2019-0233 and CVE-2023-50164
search cancel

File uploads Struts Vulnerability - CVE-2019-0233 and CVE-2023-50164


Article ID: 235819


Updated On:


CA Identity Manager CA Identity Suite


What is the impact of File upload Struts Vulnerabilities on Identity Manager?
- CVE-2019-0233 
- CVE-2023-50164



Identity Manager cannot be exploited by these file upload vulnerabilities.

Identity Manager does not use Struts-based Action class to carry out file uploads.  Instead, we have implemented a custom, proprietary, file upload implementation leveraging Apache Commons library with validation controls in place to prevent unusual or exploitable behavior around file uploads. 

Additional Information

The Struts jar can't be removed because IDM is using it and the IDM management console depends on the Struts framework.  The vulnerability is only in one class which is not being used by IDM. 
We are planning to upgrade the struts jar to 2.5.33 in the next upcoming release(14.5.1). We are planning to move from Struts to Spring Framework in the next major release.