https://www.bleepingcomputer.com/news/security/apache-struts-team-urges-users-for-library-update-to-plug-years-old-bugs/

In an advisory yesterday, the Apache Software Foundation reiterates its recommendation for users of Struts to make sure their installations run a version of the Commons FileUpload library newer than 1.3.2, lest they expose their projects to possible remote code execution attacks.

Versions of the library prior to 1.3.3 have a deserialization problem with a Java Object, which could be exploited to write or copy files to arbitrary locations on the disk.