Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2024-53677

Remote Code Execution
Affects
Apache Struts
>=2.0.0 <=2.3.37, >=2.5.0 <=2.5.33, >=6.0.0 <=6.3.0.2
in
Spring
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Overview

Apache Struts is a popular open-source web application framework for developing Java EE web applications. It provides robust support for creating modern Java-based enterprise applications. 

A Remote Code Execution (RCE) vulnerability (CVE-2024-53677) has been identified in Apache Struts, which allows attackers to execute arbitrary code on the target system by sending specially crafted requests. This can compromise system integrity and lead to further exploitation.

Per Crowdstrike: Remote code execution (RCE) refers to a class of cyberattacks in which attackers remotely execute commands to place malware or other malicious code on your computer or network. An RCE vulnerability can compromise a user’s sensitive data without the hackers needing to gain physical access to your network. 

This issue affects multiple versions from 2.0.0 before 6.4.0.

Details

Module Info

Vulnerability Info

A Struts application using FileUploadInterceptor for file uploads is vulnerable to path traversal attacks. Malicious requests can override file names, saving files in restricted locations and potentially leading to remote code execution.

Steps To Reproduce

A public reproduction of the issue has been published and is available here. By including an extra parameter to override the file name, an attacker can save the file in an unintended location.

Mitigation

Struts 2.5.x is no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Users should upgrade to the patched version Struts 6.4.0 or latest version and migrate to the new file upload mechanism.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credit

Shinsaku Nomura - Apache Struts Security Bulletins

Pink arrow
Pink arrow
CVE-2021-22112
CVE-2022-22978
CVE-2022-22976
CVE-2022-27772
CVE-2023-20883
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2024-53677
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2024-53677
PROJECT Affected
Apache Struts
Versions Affected
>=2.0.0 <=2.3.37, >=2.5.0 <=2.5.33, >=6.0.0 <=6.3.0.2
Published date
December 17, 2024
≈ Fix date
December 17, 2024
Fixed in
NES for Spring
Severity
Critical
Category
Remote Code Execution