CVE-2024-53677
Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
11Exploited in Wild
-Decision
Descriptions
File upload logic is flawed vulnerability in Apache Struts. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0, which fixes the issue. You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067
File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067
File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067
A critical vulnerability, CVE-2024-53677, has been identified in the popular Apache Struts framework, potentially allowing attackers to execute arbitrary code remotely. This vulnerability arises from flaws in the file upload logic, which can be exploited to perform path traversal and malicious file uploads. Apache Struts versions 2.0.0 to 2.5.33 and 6.0.0 to 6.3.0.2 are affected. The issue has been resolved in Apache Struts 6.4.0 and later versions.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-11-21 CVE Reserved
- 2024-12-11 CVE Published
- 2024-12-12 EPSS Updated
- 2024-12-16 First Exploit
- 2025-01-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-434: Unrestricted Upload of File with Dangerous Type
CAPEC
References (12)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/183165 | 2024-12-16 | |
| https://github.com/cloudwafs/s2-067-CVE-2024-53677 | 2024-12-18 | |
| https://github.com/TAM-K592/CVE-2024-53677-S2-067 | 2024-12-23 | |
| https://github.com/yangyanglo/CVE-2024-53677 | 2024-12-19 | |
| https://github.com/c4oocO/CVE-2024-53677-Docker | 2024-12-20 | |
| https://github.com/XiaomingX/CVE-2024-53677-S2-067 | 2024-12-18 | |
| https://github.com/dustblessnotdust/CVE-2024-53677-S2-067-thread | 2024-12-21 | |
| https://github.com/0xdeviner/CVE-2024-53677 | 2024-12-23 | |
| https://github.com/Q0LT/VM-CVE-2024-53677 | 2024-12-23 | |
| https://github.com/EQSTLab/CVE-2024-53677 | 2025-01-03 | |
| https://github.com/0xPThree/struts_cve-2024-53677 | 2025-01-07 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://cwiki.apache.org/confluence/display/WW/S2-067 | 2024-12-11 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Struts Search vendor "Apache Software Foundation" for product "Apache Struts" | >= 2.0.0 < 6.4.0 Search vendor "Apache Software Foundation" for product "Apache Struts" and version " >= 2.0.0 < 6.4.0" | en |
Affected
| ||||||