- Description
- An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.
- Source
- security@apache.org
- NVD status
- Modified
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security@apache.org
- CWE-552
- Hype score
- Not currently trending
Threat Actors Actively Exploiting Apache Struts Vulnerability CVE-2024-53677 https://t.co/PqfsEpkB7p CVE-2023-50164 CVE-2024-53677
@vault33org
27 Dec 2024
47 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Rapid7 analysis of Apache #Struts2 CVE-2024-53677 below via @the_emmons. Very similar to Struts CVE-2023-50164 — payloads have to be customized to the target and unsuccessful exploit attempts are being incorrectly interpreted as exploitation in the wild. https://t.co/IQqCG6uJD2
@catc0n
18 Dec 2024
6591 Impressions
19 Retweets
42 Likes
16 Bookmarks
1 Reply
1 Quote
最近発見されたApache Struts2に関連するファイルアップロード脆弱性(CVE-2024-53677およびCVE-2023-50164)について ディレクトリトラバーサル攻撃を通じてファイルをアップロードできる可能性があり、RCEが可能になる場合があります。特に、Webシェルがルートにアップロードされると危険です。 https://t.co/rLrrDMmcq4
@t_nihonmatsu
16 Dec 2024
1729 Impressions
3 Retweets
20 Likes
7 Bookmarks
1 Reply
0 Quotes
Exploit attempts inspired by recent Struts2 File Upload Vulnerability (CVE-2024-53677, CVE-2023-50164) - SANS Internet Storm Center - https://t.co/uSUrvNmo3m
@moton
15 Dec 2024
23 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Exploit attempts inspired by Struts2 File Upload Vulnerability (CVE-2024-53677, CVE-2023-50164) https://t.co/wNlirGcQTP https://t.co/fjXeqU2oec
@sans_isc
15 Dec 2024
2449 Impressions
7 Retweets
10 Likes
1 Bookmark
0 Replies
0 Quotes
Struts 2でパストラバーサルに起因してRCEにつながる恐れのある脆弱性。FileUploadInterceptorを使用していない場合は影響なし。S2-066(CVE-2023-50164)と同様の問題とのこと。 CVE-2024-53677 S2-067 - Apache Struts 2 Wiki - Apache Software Foundation https://t.co/VTXVY3EFe3
@autumn_good_35
11 Dec 2024
1095 Impressions
5 Retweets
6 Likes
5 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "BE174994-63BE-4A3F-A986-7903868FCE23",
"versionEndExcluding": "2.5.33",
"versionStartIncluding": "2.0.0"
},
{
"criteria": "cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "DBE0443B-320B-4C29-83DC-624546AEE6D5",
"versionEndExcluding": "6.3.0.2",
"versionStartIncluding": "6.0.0"
}
],
"operator": "OR"
}
]
}
]