Recently, Apache Struts officially released a security notice, disclosing a Remote Code Execution Vulnerability (CVE-2024-53677). An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
Apache Struts 2 is an open-source Java web application framework primarily used for building enterprise-level applications. If you are an Apache Struts 2 user, check your system and implement timely security hardening.
critical
(Severity: low, medium, important, and critical)
Struts 2.0.0 through Struts 2.3.37 (EOL)
Struts 2.5.0 through Struts 2.5.33 (EOL)
Struts 6.0.0 through Struts 6.3.0.2
Apache Struts >= 6.4.0
This vulnerability has been fixed in later official versions. If your service version falls into the affected range and uses FileUploadInterceptor, upgrade it to a latest secure version and migrate to the new file upload mechanism.
https://struts.apache.org/download.cgi
https://struts.apache.org/core-developers/file-upload
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.
Get more professional support at any time
Contact Us
