A new update has been released by Apache to address a critical Remote Code Execution (RCE) vulnerability affecting the open-source Apache Struts framework.
Apache Struts is widely used for developing modern Java web applications, making this vulnerability a significant concern for developers.
The security vulnerability (CVE-2024-53677) impacts Apache Struts versions:
- Version 2.0.0 through 2.3.37,
- 2.5.0 through 2.5.33
- 6.0 through 6.3.0.2
With a CVSS (Common Vulnerability Scoring System) score of 9.8 out of 10, this issue is considered highly critical. The flaw is found in the framework’s file upload functionality, where improper handling enables a path traversal (or directory traversal attack). This could have allowed attackers to access restricted system files, posing a severe risk to affected applications.
Solutions
To address this issue, Apache has released a patch in version 6.4.0. If you are using an affected version of Apache Struts, it’s strongly recommended to upgrade to the latest release to mitigate this critical vulnerability and ensure the security of your web apps.
Developers using previous vulnerable versions of Struts should update their applications to utilize the new Action File Upload function, replacing the outdated and vulnerable “FileUploadInterceptor.” This update is crucial for securing applications and preventing potential exploits.
Learn More
Read more on Apache’s advisory notice on their website.
Leave a Reply