CVE-2024-53677

CRITICAL EPSS 99.5%

Published Dec 11, 20241y ago · Modified Jun 17, 20261w ago

9.5 CVSS 4.0

Critical

Published Dec 11, 2024 1y ago

Last Modified Jun 17, 2026 1w ago

Description

File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067

CVSS Details

Base Score

9.5

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:C/RE:L/U:Red

Attack Vector Network

Attack Complexity High

Privileges Required None

User Interaction None

Scope N

Threat Intelligence

EPSS Exploit Probability

99.5% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-434 Unrestricted Upload of File with Dangerous Type Resource Mgmt

Affected Products 1

Vendor	Product	Version	Range
apache	struts	*	≥2.0.0 – <6.4.0

References 2

cwiki.apache.org https://cwiki.apache.org/confluence/display/WW/S2-067

Third Party Advisory
security.netapp.com https://security.netapp.com/advisory/ntap-20250103-0005/

Third Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.