According to the National Vulnerability Database (NVD), Apache scored CVE-2024-53677 a 9.5 using the CVSSv4 framework while Tenable noted a 9.8 rating using CVSSv3. Considering attackers could exploit the vulnerability without requiring privileges, this highlighted the serious risk associated with the identified flaw.
Describing the flaw, Apache said in its advisory: "An attacker can manipulate file upload parameters to enable path traversal and, under some circumstances, this can lead to uploading a malicious file which can be used to perform remote code execution." This information demonstrates the critical nature of the vulnerability.
Given a Struts bug was linked to the 'entirely preventable' Equifax breach in 2017, it makes sense to be on the safe side. The severe ratings emphasize the urgency for users to upgrade immediately since there is no workaround for this vulnerability.
As part of the upgrade process, users were also advised to update their file upload mechanism to Action File Upload Interceptor, which replaced the deprecated component. Users will have to rewrite their actions to ensure compatibility which highlights the challenges that come with maintaining security.
Collection
[
|
...
]