File uploads Struts Vulnerability - CVE-2019-0233 and CVE-2023-50164
search cancel

File uploads Struts Vulnerability - CVE-2019-0233 and CVE-2023-50164

book

Article ID: 235819

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Suite

Issue/Introduction

What is the impact of File upload Struts Vulnerabilities on Identity Manager?
- CVE-2019-0233 
- CVE-2023-50164

 

Resolution

Identity Manager cannot be exploited by these file upload vulnerabilities.

Identity Manager does not use Struts-based Action class to carry out file uploads.  Instead, we have implemented a custom, proprietary, file upload implementation leveraging Apache Commons library with validation controls in place to prevent unusual or exploitable behavior around file uploads. 

Additional Information

 
The Struts jar can't be removed because IDM is using it and the IDM management console depends on the Struts framework.  The vulnerability is only in one class which is not being used by IDM. 
We are planning to upgrade the struts jar to 2.5.33 in the next upcoming release(14.5.1). We are planning to move from Struts to Spring Framework in the next major release. 
 
 
 
Powered by Wolken Software