About the Vulnerability
Introduction
Apache Struts is a free and open-source MVC framework for creating elegant modern Java web applications. It supports convention over configuration, can be extended using a plugin architecture, and comes with plugins that support REST, AJAX, and JSON.
Summary
On December 12, 2024, Sangfor FarSight Labs received notification that an Apache-Struts2 component contains information of Arbitrary File Upload Vulnerability(CVE-2024-53677), classified as critical in threat level.
Apache Struts 2 contains a severe file upload vulnerability S2-067 that can be exploited by unauthorized attackers to manipulate file upload parameters to enable path traversal, potentially leading to the upload of malicious files that can execute remote code.
Note: Applications not using the FileUploadInterceptor module are not affected by this vulnerability.
Affected Versions
2.0.0 ≤ Apache Struts 2 ≤ 2.3.37
2.5.0 ≤ Apache Struts 2 ≤ 2.5.33
6.0.0 ≤ Apache Struts 2 ≤ 6.3.0.2
Solutions
Official Solution
The latest versions have been officially released to fix the vulnerability. Affected users are recommended to update the version of Apache Struts 2 to the following versions or upgrade the project to the latest file upload mechanism.
Apache Struts 2 6.4.0 and versions above.
Download link: https://struts.apache.org/download.cgi
File Upload Mechanism Migration Link:
https://struts.apache.org/core-developers/file-upload
Timeline
On December 12, 2024, Sangfor FarSight Labs received notification of Apache Struts 2 Arbitrary File Upload Vulnerability.
On December 12, 2024, Sangfor FarSight Labs released a vulnerability alert.