CVE-2024-53677: Critical vulnerability affecting Apache Struts
Information has been disclosed about a new critical vulnerability affecting the popular Apache Struts framework. The CVE-2024-53677 vulnerability could allow a remote attacker to execute code remotely
Apache Struts is an open-source web development framework based on Java, designed to build robust and scalable web applications. It is particularly known for implementing the Model-View-Controller (MVC) design pattern, which separates business logic, presentation, and control flow in web applications.
CVE-2024-53677 key features
The main details of this vulnerability are outlined below:
- CVE Identifier: CVE-2024-53677.
- Publication date: 12/11/2024.
- Affected software: Apache Struts.
- CVSS Score: CVSS:3.1 /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical).
- Affected Versions:
- From version 2.0.0 to 2.5.33
- From version 6.0.0 to 6.3.0.2.
- Exploitation: This vulnerability originates in the file upload mechanism of Apache Struts. An attacker can manipulate parameters during the file upload process, leading to a Path Traversal vulnerability. A file can be uploaded to an arbitrary location on the server. Subsequently, this file can be executed, resulting in a Remote Code Execution (RCE) vulnerability.
Mitigation
The main solution is to update Apache Struts to version 6.4.0.
Apache has published an official statement with detailed information and updates regarding this vulnerability.
Vulnerability detection
The presence of the vulnerability can be identified by checking the version of Apache Struts being used.
Additionally, a GitHub repository provides a script to verify if an instance is vulnerable, as well as a proof of concept:
As part of its emerging vulnerabilities service, Tarlogic Security proactively monitors the perimeter of its clients to report, detect, and urgently notify of the presence of this vulnerability, as well as other critical threats that could have a serious impact on the security of their assets.
References