451/67 Friday, December 20, 2024
Researchers have issued a warning about a critical vulnerability in Apache Struts, identified as CVE-2024-53677, which has a CVSS score of 9.5. This vulnerability allows attackers to modify file upload parameters to execute a Path Traversal attack, potentially leading to the upload of malicious files for Remote Code Execution (RCE). The vulnerability affects the following software versions:
- Struts 2.0.0 to Struts 2.3.37 (EOL)
- Struts 2.5.0 to Struts 2.5.33 (EOL)
- Struts 6.0.0 to Struts 6.3.0.2
Dr. Johannes Ullrich, Senior Researcher at SANS Technology, explained that this vulnerability stems from an incomplete fix of the earlier CVE-2023-50164 issue. The new vulnerability shares similarities with the previous one. Additionally, a Proof-of-Concept (PoC) exploit has already been released, and attackers have begun using it in real-world operations.
To mitigate risks, users are advised to update their software to Struts 6.4.0 or later versions and use the Action File Upload Interceptor to prevent future attacks.
Source https://securityaffairs.com/172109/hacking/apache-struts-vulnerability-cve-2024-53677-flaw.html
