CVE-2024-53677 CRITICAL

CVE-2024-53677: Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks

Vendor Apache Software Foundation

Product Apache Struts

Published December 11, 2024

Last update January 3, 2025

View on NVD All CVEs

CVSS base score

9.5/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:Y/R:A/V:C/RE:L/U:Red

What the vulnerability does

Description

File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067

Key dates

Disclosure timeline

December 11, 2024 CVE published

January 3, 2025 Record updated