RAC/M Identity™ is our simple and effective identity governance (IAM) solution that enables businesses large and small to understand and manage the complex relationships between users and their access to physical and digital resources, offered as an on-premise or SaaS solution.
A vulnerability impacting Struts 2 was announced on December 7, 2023. This vulnerability allows manipulation of the uploaded file name to escape the upload folder (“Path traversal”). An application using the uploaded file name to write the uploaded file can write to an arbitrary path on disk. This could allow an attacker to execute code on a vulnerable machine.
After an investigation we have determined that RAC/M Identity does use the “File Upload” functionality in Struts 2 but does not use the uploaded file name to save the file. Therefore, it is not vulnerable.
Reference :
CVE: CVE-2023-50164 (https://nvd.nist.gov/vuln/detail/CVE-2023-50164)
OKIOK support team
Do not hesitate to contact our support group if you have any questions regarding this Security Bulletin at support@okiok.com