Threat actors have started exploiting a critical-severity vulnerability in Apache Struts 2 less than a month after it was publicly disclosed.
The issue, tracked as CVE-2024-53677 (CVSS score of 9.5), is described as a file upload logic flaw that could enable an attacker to perform a path traversal attack.
“An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform remote code execution,” Apache notes in its advisory.
Essentially, attackers could exploit the vulnerability to place malicious files in restricted directories, which could allow them to steal data, execute arbitrary code, and potentially fully compromise systems.
“Apache Struts sits at the heart of many corporate IT stacks, driving public-facing portals, internal productivity applications, and critical business workflows. Its popularity in high-stakes contexts means that a vulnerability like CVE-2024-53677 could have far-reaching implications,” cloud security firm Qualys notes.
The bug impacts Struts versions 2.0.0 through 2.3.37 and 2.5.0 through 2.5.33, which have been discontinued, and version 6.0.0 through 6.3.0.2.
Struts version 6.4.0 resolves the security defect by deprecating the vulnerable file upload mechanism FileUploadInterceptor. In addition to updating Struts, users should migrate to the new mechanism, ActionFileUploadInterceptor, which is not affected, Apache says.
However, the company warns that the change is not backward compatible and that users will have to rewrite their actions to start using the new mechanism.
“Keep using the old File Upload mechanism keeps you vulnerable to this attack,” Apache notes, explaining that no workaround is available.
CVE-2024-53677, Apache says, is like CVE-2023-50164 (CVSS score of 9.8), which started being targeted in attacks only days after being publicly disclosed in December last year.
Proof-of-concept (PoC) code targeting the newly resolved bug was published last week, and the first exploitation attempts started shortly after, Johannes Ullrich of the SANS Internet Storm Center warns.
“We are seeing active exploit attempts for this vulnerability that match the PoC exploit code. At this point, the exploit attempts are attempting to enumerate vulnerable systems,” Ullrich says.
Related: Critical Vulnerabilities Found in Ruijie Reyee Cloud Management Platform
Related: LiteSpeed Vulnerabilities Can Lead to Complete Web Server Takeover
Related: Many Apache Struts Security Advisories Updated Following Review
Related: Vulnerabilities in Zephyr’s Bluetooth LE Stack May Lead to DoS Attacks
