Apache Struts FileUploadInterceptor Remote Code Execution Vulnerability (CVE-2024-53677)

Dec 13, 2024 GMT+08:00

I. Overview

Recently, Apache Struts has released a security notice, disclosing a remote code execution vulnerability (CVE-2024-53677) in specific versions of Apache Struts. The vulnerability arises from a defect in the file upload logic. If FileUploadInterceptor is utilized in the code, attackers can manipulate file upload parameters to enable path traversal. Under some circumstances, attackers can upload malicious files to exploit the vulnerability, leading to remote code execution. 

Apache Struts is a popular Java web application framework. If you are an Apache Struts user, check your versions and implement timely security hardening.

Reference:

https://cwiki.apache.org/confluence/display/WW/S2-067

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Struts 2.0.0 - Struts 2.3.37 (EOL)

Struts 2.5.0 - Struts 2.5.33

Struts 6.0.0 - Struts 6.3.0.2

Secure versions:

Apache Struts >= 6.4.0

IV. Vulnerability Handling

A new official version has been released to address this vulnerability. Upgrade to this secure version and use the Action File Upload Interceptor to ensure safety.

https://github.com/apache/struts/releases

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.