4:00pm, 18 December 2024
TLP Rating:
Vulnerability affecting Apache Struts framework
CVE-2024-53677 (CVSS 9.5) is a file upload vulnerability that could allow an attacker to manipulate file upload parameters. This could enable path traversal, malicious file upload and remote code execution. The NCSC is aware of a proof of concept (PoC) and open-source reporting of active exploitation of this vulnerability.
An upgrade to the latest version that no longer uses FileUploadInterceptor is advised.
What's happening
Systems affected
Apache advises that the following versions are affected:
- Struts 2.0.0 - Struts 2.3.37
- Struts 2.5.0 - Struts 2.5.33
- Struts 6.0.0 - Struts 6.3.0.2
What to look for
How to tell if you're at risk
If you are running the Apache Struts versions listed above , with FileUploadInterceptor enabled.
Applications that use the affected Apache Struts versions but are not using the deprecated FileUploadInterceptor are not affected.
What to do
Prevention
Apache Struts needs to be updated to the advised version. The vendor's advisory recommends Struts 6.4.0 or greater.
Mitigation
Disable FileUploadInterceptor usage with vulnerable Apache Struts versions.
More information
Refer to vendor advisory for more information.
S2-067 - Apache Struts 2 Wiki - Apache Software Foundation External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
Report an incident to CERT NZ External Link
How helpful was this page?
This site is protected by reCAPTCHA and the Google Privacy Policy External Link and Terms of Service External Link apply.