CVE-2024-53677: Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks

9.5 CVSS

Description

File upload logic is flawed vulnerability in Apache Struts.

This issue affects Apache Struts: from 2.0.0 before 6.4.0.

Users are recommended to upgrade to version 6.4.0, which fixes the issue.

You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.5

Vendor: Apache Software Foundation

Product: Apache Struts

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.44% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

2024-12-11 23:15:15 UTC
Github Advisory Database (Maven)

[org.apache.struts:struts2-core] Apache Struts file upload logic is flawed
2024-12-12 00:31:34 UTC
CVE

Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks
2024-12-18 15:15:22 UTC
BleepingComputer

New critical Apache Struts flaw exploited to find vulnerable servers
2024-12-18 15:15:32 UTC
TheHackerNews

Patch Alert: Critical Apache Struts Flaw Found, Exploitation Attempts Detected
2024-12-19 18:45:12 UTC
Dark Reading

Orgs Scramble to Fix Actively Exploited Bug in Apache Struts 2