CVE-2024-53677

CWE-434 — Unrestricted File Upload CWE-22 — Path Traversal CWE-915 CWE-552 — Files Accessible to External Parties12 documents10 sources

Severity

9.5CRITICAL

EPSS

93.1%

top 0.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Struts Apache Struts

Timeline

PublishedDec 11

Latest updateJan 15

Description

File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upl…

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N

Affected Packages3 packages

▶Mavenorg.apache.struts:struts2-core< 6.4.0

▶NVDapache/struts2.0.0 — 6.4.0

▶CVEListV5apache_software_foundation/apache_struts2.0.0 — 6.4.0

🔴Vulnerability Details

GHSA

Apache Struts file upload logic is flawed↗2024-12-11

▶

OSV

Apache Struts file upload logic is flawed↗2024-12-11

▶

CVEList

Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks↗2024-12-11

▶

VulnCheck

Apache Struts File Upload Vulnerability↗2024

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS Apache Struts2 Path Traversal Attempt Inbound M2 (CVE-2024-53677)↗2024-12-17

▶

Suricata

ET WEB_SPECIFIC_APPS Apache Struts2 Path Traversal Attempt Inbound M1 (CVE-2024-53677)↗2024-12-16

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Configuration Management Platform (Apache Struts 2) — CVE-2024-53677↗2025-01-15

▶

Red Hat

struts: org.apache.struts: mixing setters for uploaded files and normal fields can allow bypass file upload checks↗2024-12-11

▶

🕵️Threat Intelligence

Qualys

Apache Struts CVE-2024-53677: File Upload Vulnerability, Impact, and Mitigation Strategies | Qualys↗2024-12-17

▶

Qualys

Apache Struts CVE-2024-53677: File Upload Vulnerability, Impact, and Mitigation Strategies↗2024-12-17

▶

Bleepingcomputer

New critical Apache Struts flaw exploited to find vulnerable servers↗2024-12-17

▶