Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-53677

Опубликовано: 11 дек. 2024
Источник: redhat
CVSS3: 9
EPSS Высокий

Описание

File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in  https://cwiki.apache.org/confluence/display/WW/S2-067

A flaw was found in Apache Struts. Affected versions of this package are vulnerable to remote code execution (RCE) via manipulation of the file upload mechanism that enables path traversal. Under certain conditions, uploading a malicious file is possible and may then be executed on the server.

Отчет

No Red Hat products are affected by this vulnerability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
A-MQ Clients 2org.apache.struts/struts-coreNot affected
A-MQ Clients 2org.apache.struts/struts-taglibNot affected
A-MQ Clients 2org.apache.struts/struts-tilesNot affected
Red Hat AMQ Broker 7org.apache.struts/struts-coreNot affected
Red Hat AMQ Broker 7org.apache.struts/struts-taglibNot affected
Red Hat AMQ Broker 7org.apache.struts/struts-tilesNot affected
Red Hat build of Apache Camel for Spring Boot 4org.apache.struts/struts-coreNot affected
Red Hat build of Apache Camel for Spring Boot 4org.apache.struts/struts-taglibNot affected
Red Hat build of Apache Camel for Spring Boot 4org.apache.struts/struts-tilesNot affected
Red Hat build of Debezium 2org.apache.struts/struts-coreNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Critical
Дефект:
CWE-552
https://bugzilla.redhat.com/show_bug.cgi?id=2331686struts: org.apache.struts: mixing setters for uploaded files and normal fields can allow bypass file upload checks

EPSS

Процентиль: 100%
0.89326
Высокий

9 Critical

CVSS3

Связанные уязвимости

nvd логотип

CVE-2024-53677

CVSS3: 9.8
nvd
около 1 года назад

File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in  https://cwiki.apache.org/confluence/display/WW/S2-067

github логотип

GHSA-43mq-6xmg-29vm

CVSS3: 9.8
github
около 1 года назад

Apache Struts file upload logic is flawed

fstec логотип

BDU:2024-11084

CVSS3: 9
fstec
около 1 года назад

Уязвимость механизма File Upload программной платформы Apache Struts, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 100%
0.89326
Высокий

9 Critical

CVSS3