N/A

CVSS Score

Basic Information

CVE ID

CVE-2024-53677

GHSA ID

GHSA-43mq-6xmg-29vm

EPSS Score

CWE

CWE-22

Published

12/11/2024

Updated

1/3/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-53677

CVE-2024-53677:
Apache Struts file upload logic is flawed

File upload logic is flawed vulnerability in Apache Struts. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.

This issue affects Apache Struts: from 2.0.0 before 6.4.0.

Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload. If you are not using an old file upload logic based on FileuploadInterceptor your application is safe.

You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067 .

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2024-53677

GHSA ID

GHSA-43mq-6xmg-29vm

EPSS Score

CWE

CWE-22

Published

12/11/2024

Updated

1/3/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:C/RE:L/U:Red

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.struts:struts2-core	maven	< 6.4.0	6.4.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the legacy FileUploadInterceptor and its associated multipart request handling. The advisory explicitly states that applications using FileUploadInterceptor are vulnerable, while the newer ActionFileUploadInterceptor (introduced in 6.4.0) is safe. The FileUploadInterceptor's intercept method is responsible for processing upload parameters, and the JakartaMultiPartRequest's parse method handles raw file upload data. Both fail to adequately sanitize user-supplied filenames, allowing path traversal. Confidence is high for FileUploadInterceptor due to direct advisory references, and medium for JakartaMultiPartRequest due to its role in the deprecated upload mechanism.

Vulnerable functions

org.apache.struts2.interceptor.FileUploadInterceptor.intercept

org/apache/struts2/interceptor/FileUploadInterceptor.java

The FileUploadInterceptor handles file upload parameters without properly sanitizing filenames, allowing attackers to inject path traversal sequences (e.g., '../') in filename parameters. This enables malicious files to be written to unintended locations, leading to potential RCE.

org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.parse

org/apache/struts2/dispatcher/multipart/JakartaMultiPartRequest.java

This method processes multipart requests and constructs file paths using user-controlled filenames. Lack of proper validation against path traversal sequences in the filename parameter makes it vulnerable to directory traversal attacks.

WAF Protection Rules

WAF Rule

*il* uplo** lo*i* is *l*w** vuln*r**ility in *p**** Struts. *n *tt**k*r **n m*nipul*t* *il* uplo** p*r*ms to *n**l* p*t*s tr*v*rs*l *n* un**r som* *ir*umst*n**s t*is **n l*** to uplo**in* * m*li*ious *il* w*i** **n ** us** to p*r*orm R*mot* *o** *x**

Reasoning

T** vuln*r**ility st*ms *rom t** l****y *il*Uplo**Int*r**ptor *n* its *sso*i*t** multip*rt r*qu*st **n*lin*. T** **visory *xpli*itly st*t*s t**t *ppli**tions usin* *il*Uplo**Int*r**ptor *r* vuln*r**l*, w*il* t** n*w*r **tion*il*Uplo**Int*r**ptor (int

N/A

Basic Information

Concerned about an active attack path?

CVE-2024-53677: Apache Struts file upload logic is flawed

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-53677:
Apache Struts file upload logic is flawed

Vulnerability Intelligence
Miggo AI