The Apache Software Foundation has released a security advisory that fixes a vulnerability in Commons FileUpload library in Apache Struts versions 2.3.36 and prior.
System administrators should immediately upgrade commons-fileupload to version 1.3.3. The patch is required to prevent your public-facing web site from being exposed to potential Remote Code Execution attacks.
Apache Struts versions from 2.5.12 or newer are not affected by the vulnerability as they already include the latest commons-fileupload version 1.3.3.
An excerpt of the Struts issue:
“Your project is affected if it uses the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload. The updated commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the fixed jar.”