Apache Struts: file upload logic is flawed (CVE-2024-53677) #shorts

CVE

The CVE-2024-53677 addresses a critical flaw in the file upload logic of Apache Struts affecting versions 2.0.0 through 6.3.9. This vulnerability allows malicious actors to exploit a directory traversal issue during file uploads. Attackers could potentially manipulate the file paths, enabling unauthorized access or modification of resources on the server. The exact tools used for exploitation are currently unknown, as are reports of specific victims. However, this has been identified as a zero-day vulnerability, indicating that exploitation could occur prior to the release of a fix, posing a significant risk to all deployed instances of affected Apache Struts versions.

Watch the full video on YouTube: CVE-2024-53677

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

CVE database technical details

CVE ID

CVE-2024-53677

Description

File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067

Provider

apache

CWE / problem types

File upload logic is flawed

Affected Software Versions

Apache Software Foundation:Apache Struts:[{'lessThan': '6.4.0', 'status': 'affected', 'version': '2.0.0', 'versionType': 'semver'}]

Date Published

2024-12-11T15:35:43.389Z

Last Updated

2025-01-03T12:04:30.841Z