Apache Struts: file upload logic is flawed (CVE-2024-53677) #shorts

CVE

The CVE-2024-53677 addresses a critical flaw in the file upload logic of Apache Struts affecting versions 2.0.0 through 6.3.9. This vulnerability allows malicious actors to exploit a directory traversal issue during file uploads. Attackers could potentially manipulate the file paths, enabling unauthorized access or modification of resources on the server. The exact tools used for exploitation are currently unknown, as are reports of specific victims. However, this has been identified as a zero-day vulnerability, indicating that exploitation could occur prior to the release of a fix, posing a significant risk to all deployed instances of affected Apache Struts versions.

Watch the full video on YouTube: CVE-2024-53677

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2024-53677
Description
File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in  https://cwiki.apache.org/confluence/display/WW/S2-067
Provider
apache
CWE / problem types
File upload logic is flawed
Affected Software Versions
Apache Software Foundation:Apache Struts:[{'lessThan': '6.4.0', 'status': 'affected', 'version': '2.0.0', 'versionType': 'semver'}]
Date Published
2024-12-11T15:35:43.389Z
Last Updated
2025-01-03T12:04:30.841Z