Summary
File upload logic is flawed, and allows an attacker to enable paths with traversals - similar problem as reported in S2-066Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Remote Code Execution |
Maximum security rating | Critical |
Recommendation | Upgrade to Struts 6.4.0 or greater and use Action File Upload Interceptor |
Affected Software | |
Reporters | Shinsaku Nomura |
CVE Identifier | CVE-2024-53677 |
Problem
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
Note: applications not using FileUploadInterceptor are safe.
Solution
Upgrade at least to Struts 6.4.0 (or the latest version) and migrate to the new file upload mechanism.
Backward compatibility
This change isn't backward compatible as you must rewrite your actions to start using the new Action File Upload mechanism and related interceptor. Keep using the old File Upload mechanism keeps you vulnerable to this attack.
Workaround
n/a