s2-067(CVE-2024-53677) Summary File upload logic is flawed, and allows an attacker to enable paths with traversals - similar problem as reported in S2-066 Who should read this
All Struts 2 developers and users
Impact of vulnerability
Remote Code Execution
Maximum security rating
Critical
Recommendation
Upgrade to Struts 6.4.0 or greater and use Action File Upload Interceptor
Affected Software
Struts 2.0.0 - Struts 2.3.37 (EOL), Struts 2.5.0 - Struts 2.5.33, Struts 6.0.0 - Struts 6.3.0.2
Reporters
Shinsaku Nomura
CVE Identifier
CVE-2024-53677
Problem An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
Note: application not using FileUploadInterceptor are safe.
Solution Upgrade to Struts 6.4.0 or greater and migrate to the new file upload mechanism.
Backward compatibility This change isn't backward compatible as you must rewrite your actions to start using the new Action File Upload mechanism and related interceptor. Keep using the old File Upload mechanism keeps you vulnerable to this attack.
Workaround
CVE-2024-53677 Detail Received This vulnerability has been received by the NVD and has not been analyzed.
Description File upload logic is flawed vulnerability in Apache Struts. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0, which fixes the issue. You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067