Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2024-53677

UNKNOWN
Published 2024-12-11T15:35:43.389Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2024-53677. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.

This issue affects Apache Struts: from 2.0.0 before 6.4.0.

Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe.

You can find more details in  https://cwiki.apache.org/confluence/display/WW/S2-067

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Apache Software Foundation

Apache Struts

Affected Versions:

2.0.0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed CRITICAL

Apache Struts file upload logic is flawed

GHSA-43mq-6xmg-29vm

Advisory Details

File upload logic is flawed vulnerability in Apache Struts. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload. If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in  https://cwiki.apache.org/confluence/display/WW/S2-067 .

Affected Packages

Maven org.apache.struts:struts2-core
ECOSYSTEM: ≥0 <6.4.0

CVSS Scoring

CVSS Score

9.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-53677
WEB https://github.com/apache/struts/commit/1ecfbae46543a83e131404f8dcc84b3d0d554854
WEB https://github.com/apache/struts/commit/3ef9ade8902a63bb560892453eeca02bfddefc78
WEB https://github.com/apache/struts/commit/930fef7679d7247db9e460c146b1698a9d7ad1e4
WEB https://cwiki.apache.org/confluence/display/WW/S2-067
PACKAGE https://github.com/apache/struts
WEB https://security.netapp.com/advisory/ntap-20250103-0005
WEB https://struts.apache.org/core-developers/file-upload
WEB https://www.dynatrace.com/news/blog/the-anatomy-of-broken-apache-struts-2-a-technical-deep-dive-into-cve-2024-53677

Advisory provided by GitHub Security Advisory Database. Published: December 11, 2024, Modified: July 15, 2025

References

https://cwiki.apache.org/confluence/display/WW/S2-067
Published: 2024-12-11T15:35:43.389Z
Last Modified: 2025-01-03T12:04:30.841Z
Copied to clipboard!