Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-53677

File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067

Published

2024-12-11T16:15:14.593

Last Modified

2025-07-15T16:30:19.423

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Type: Secondary
CWE-434

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	struts	< 6.4.0	Yes

References

https://cwiki.apache.org/confluence/display/WW/S2-067 Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20250103-0005/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)