Service Notices
Apache Struts FileUploadInterceptor Remote Code Execution Vulnerability (CVE-2024-53677)
Dec 13, 2024 GMT+08:00
I. Overview
Recently, Apache Struts has released a security notice, disclosing a remote code execution vulnerability (CVE-2024-53677) in specific versions of Apache Struts. The vulnerability arises from a defect in the file upload logic. If FileUploadInterceptor is utilized in the code, attackers can manipulate file upload parameters to enable path traversal. Under some circumstances, attackers can upload malicious files to exploit the vulnerability, leading to remote code execution.
Apache Struts is a popular Java web application framework. If you are an Apache Struts user, check your versions and implement timely security hardening.
Reference:
https://cwiki.apache.org/confluence/display/WW/S2-067
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected versions:
Struts 2.0.0 - Struts 2.3.37 (EOL)
Struts 2.5.0 - Struts 2.5.33
Struts 6.0.0 - Struts 6.3.0.2
Secure versions:
Apache Struts >= 6.4.0
IV. Vulnerability Handling
A new official version has been released to address this vulnerability. Upgrade to this secure version and use the Action File Upload Interceptor to ensure safety.
https://github.com/apache/struts/releases
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.