CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-53677

CVSS 9.5v4.0pub. 2024-12-11upd. 2025-07-15

File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in  https://cwiki.apache.org/confluence/display/WW/S2-067

CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:C/RE:L/U:Red
  • Apache Struts

    APP
    Apache
    2.0.0 – 6.4.0 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2020-17530CRITICAL9.8⚠ KEVten sam produkt

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution....

CVE-2017-9791CRITICAL9.8⚠ KEVten sam produkt

The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field v...

CVE-2017-5638CRITICAL9.8⚠ KEVten sam produkt

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect ex...

CVE-2013-2251CRITICAL9.8⚠ KEVten sam produkt

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a paramet...

CVE-2012-0391CRITICAL9.8⚠ KEVten sam produkt

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressio...