Skip to main content

Proof-of-Concept Released for Critical Apache Struts Vulnerability

CVE-2024-53677 could allow unauthenticated remote code execution, path traversal or upload of malicious files

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

CVE-2024-53677 could allow unauthenticated remote code execution, path traversal or upload of malicious files


Threat details

End-of-life versions and new file upload mechanism

Apache has stated Struts versions 2.0.0 through 2.3.37 are end-of-life (EOL) and are no longer supported.

CVE-2024-53677 is a vulnerability in the File Upload Interceptor, and as of Struts version 6.4.0 this interceptor has been deprecated, and removed entirely in version 7.0.0. Applications not using File Upload Interceptor are not considered vulnerable. Apache advises organisations upgrading to the latest version of Struts must also rewrite applications to replace the File Upload Interceptor with the new file upload mechanism in order to fully remediate. 


Introduction

Apache has released a security bulletin addressing a critical vulnerability in Apache Struts 2. Apache Struts is an open-source model-view-controller (MVC) framework for creating Java web applications. 

CVE-2024-53677 is a 'Unrestricted Upload of File with Dangerous Type' vulnerability and has a CVSSv4 score of 9.5. This vulnerability exists in the File Upload Interceptor, which allows developers easy access to file upload support. If CVE-2024-53677 is exploited, a remote unauthenticated attacker could traverse system paths, upload malicious files and perform remote code execution (RCE).

Proof-of-Concept code released for CVE-2024-53677

A public proof-of-concept is available for CVE-2024-53677. Exploitation is considered more likely.


Remediation advice

Affected organisations are encouraged to review the Apache security bulletin S2-067, upgrade to Apache Struts version 6.4.0 or higher, and migrate to the new file upload mechanism for continued functionality.


Remediation steps

Type Step
Patch

Upgrade Apache Struts to version 6.4.0 or higher.


https://cwiki.apache.org/confluence/display/WW/S2-067
Action

For continued file upload functionality organisations must migrate from the File Upload Interceptor (deprecated as of Struts 6.4.0) to the new Action File Upload Interceptor (available since Struts 6.4.0).

NOTE: Apache states 'this change isn't backward compatible as you must rewrite your actions to start using the new Action File Upload mechanism and related interceptor. Using the old File Upload mechanism keeps you vulnerable to this attack.'


https://struts.apache.org/core-developers/action-file-upload-interceptor


Last edited: 17 December 2024 2:31 pm