CVE-2024-53677
Apache Struts Path Traversal Vulnerability
Description
File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067
INFO
Published Date :
Dec. 11, 2024, 4:15 p.m.
Last Modified :
July 15, 2025, 4:30 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 4.0 | CRITICAL | [email protected] |
Solution
- Upgrade Apache Struts to version 6.4.0 or later.
- Upgrade SAP BusinessObjects Business Intelligence Platform to version 2025 SP000 000000, 4.3 SP004 001300, 4.3 SP005 000000, or later.
Public PoC/Exploit Available at Github
CVE-2024-53677 has a 30 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-53677.
| URL | Resource |
|---|---|
| https://cwiki.apache.org/confluence/display/WW/S2-067 | Third Party Advisory |
| https://security.netapp.com/advisory/ntap-20250103-0005/ | Third Party Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-53677 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-53677
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
a proof of concept of CVE-2024-53677
cve cve-2024-53677
Go
None
None
Python Java
CVE-2024-53677
Burp Suite is a powerful, integrated platform used for web application security testing. Developed by PortSwigger, it’s a go-to tool for ethical hackers, bug bounty hunters, and security professionals.
None
Practicing Dokcer Environment
Java
Struts workshop to showcase backporting
Python Java
None
Python Java
Recull d'apunts, cheatsheet, scripts i writeups com a formació per les diferents certificacions planejades.
Shell Python
None
HTML Python Shell
Apache Struts CVE-2024-53677 Exploitation
None
Vulnerable Environment and Exploit for CVE-2024-53677
Dockerfile Java HTML Python
None
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-53677 vulnerability anywhere in the article.
-
Cyber Security News
SAP July 2025 Patch Day – Patch for 27 Vulnerabilities Including 7 Critical One’s
SAP has released its July 2025 Security Patch Day update, addressing a significant number of vulnerabilities across its enterprise software portfolio. The comprehensive security update includes 27 new ... Read more
-
Daily CyberSecurity
SAP’s July 2025 Patch Day Brings 27 New Notes, Multiple Critical RCE & Deserialization Flaws (CVSS 10.0)
SAP’s July 2025 Security Patch Day delivered a total of 27 new security notes and 3 updates to previously released advisories, with several critical vulnerabilities requiring immediate attention. Thes ... Read more
-
Daily CyberSecurity
CoinMarketCap Hacked: “Doodle” Graphic Delivers Malware, Stealing $43K+ from User Wallets
On June 20, 2025, CoinMarketCap (CMC)—a trusted name in the crypto ecosystem—fell victim to a highly coordinated client-side attack that weaponized a seemingly harmless “doodle” graphic to deliver mal ... Read more
-
Cyber Security News
Automating Patch Management Reducing Vulnerabilities at Scale
As cybersecurity threats continue to escalate, organizations worldwide are turning to automated patch management solutions to combat an alarming statistic: 80% of cyberattacks occur due to unpatched s ... Read more
-
The Hacker News
Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization
Vulnerability / Software Security The Apache Software Foundation (ASF) has released patches to address a maximum severity vulnerability in the MINA Java network application framework that could result ... Read more
-
TheCyberThrone
Sophos fixes Triple Critical Vulnerabilities in its Firewall
Sophos released patches for three critical security vulnerabilities in their widely-used network security tool, Sophos Firewall that posed significant risks, including remote code execution and privil ... Read more
-
Cybersecurity News
CVE-2024-49775 (CVSS 9.8): Critical Vulnerability in Siemens UMC Exposes Systems to Remote Exploitation
Siemens has disclosed a critical heap-based buffer overflow vulnerability (CVE-2024-49775) in its User Management Component (UMC), a core element integrated into several of its products. If exploited, ... Read more
-
TheCyberThrone
CISA adds BeyondTrust CVE-2024-12356 to its KEV Catalog
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.CVE-2024-12356: Command Injection Vulnerability in BeyondTrust PRA and RSO ... Read more
-
Dark Reading
Orgs Scramble to Fix Actively Exploited Bug in Apache Struts 2
Source: ZUMA Press, Inc. via Alamy Stock PhotoA critical, stubborn new vulnerability in Apache Struts 2 may be under active exploitation already, and fixing it isn't as simple as downloading a patch.S ... Read more
-
TheCyberThrone
Fortinet fixes several vulnerabilities including CVE-2023-34990
Fortinet has released patches for vulnerabilities affecting its popular products, including FortiClient VPN, FortiManager, and FortiWLM. These flaws range from password exposure to remote code executi ... Read more
-
The Register
Critical security hole in Apache Struts under exploit
A critical security hole in Apache Struts 2 – patched last week – is currently being exploited using publicly available proof-of-concept (PoC) code. Struts is a Java-based web application framework wi ... Read more
-
BleepingComputer
New critical Apache Struts flaw exploited to find vulnerable servers
A recently patched critical Apache Struts 2 vulnerability tracked as CVE-2024-53677 is actively exploited using public proof-of-concept exploits to find vulnerable devices. Apache Struts is an open-so ... Read more
-
TheCyberThrone
Clop ransomware exploits Cleo Vulnerability in its attacks
The Clop ransomware gang has recently claimed responsibility for a series of sophisticated data theft attacks targeting Cleo, a prominent provider of managed file transfer software. These attacks expl ... Read more
-
TheCyberThrone
TheCyberThrone Security BiWeekly Review – December 14, 2024
Welcome to TheCyberThrone cybersecurity week in review will be posted covering the important security happenings. This review is for the weeks ending Saturday, November 30, 2024.Jenkins fixes multiple ... Read more
-
TheCyberThrone
CISA adds Cleo Vulnerability CVE-2024-50623 to KEV Catalog
The US CISA adds Cleo vulnerability to its Known Exploited Vulnerabilities Catalog based on the evidence of active exploitation reported.Security vendor Huntress was the first to publicize the attacks ... Read more
-
TheCyberThrone
Gitlab fixes CVE-2024-11274 and CVE-2024-8233
GitLab has released a crucial security update to address multiple vulnerabilities impacting various versions of its platform. This update, applicable to versions 17.6.2, 17.5.4, and 17.4.6 for both Co ... Read more
-
security.nl
Kritiek lek in Apache Struts 2 maakt remote code execution mogelijk
Een kritieke kwetsbaarheid in Apache Struts 2 maakt remote code execution mogelijk en overheidsinstanties roepen beheerders en organisaties op om de beschikbaar gestelde beveiligingsupdate te installe ... Read more
-
TheCyberThrone
Apache Struts was affected by CVE-2024-53677
Apache Struts framework has been detected with a critical vulnerability that could allow attackers to execute malicious code remotely, posing a significant risk to affected systems.The vulnerability t ... Read more
-
TheCyberThrone
Splunk addresses CVE-2024-53247 in Secure Gateway
A critical vulnerability identified has been discovered in the Splunk Secure Gateway app, affecting various versions of Splunk Enterprise and the Splunk Cloud Platform.The vulnerability tracked as CVE ... Read more
-
The Register
Apache issues patches for critical Struts 2 RCE bug
We now know the remote code execution vulnerability in Apache Struts 2 disclosed back in November carries a near-maximum severity rating following the publication of the CVE. According to the National ... Read more
The following table lists the changes that have been made to the
CVE-2024-53677 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Jul. 15, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CPE Configuration OR *cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* versions from (including) 2.0.0 up to (excluding) 6.4.0 Added Reference Type Apache Software Foundation: https://cwiki.apache.org/confluence/display/WW/S2-067 Types: Third Party Advisory Added Reference Type CVE: https://security.netapp.com/advisory/ntap-20250103-0005/ Types: Third Party Advisory -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jan. 03, 2025
Action Type Old Value New Value Added Reference https://security.netapp.com/advisory/ntap-20250103-0005/ -
CVE Modified by [email protected]
Dec. 20, 2024
Action Type Old Value New Value Changed Description File upload logic is flawed vulnerability in Apache Struts. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067 File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067 -
CVE Modified by [email protected]
Dec. 18, 2024
Action Type Old Value New Value Changed Description File upload logic is flawed vulnerability in Apache Struts. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067 File upload logic is flawed vulnerability in Apache Struts. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067 -
CVE Modified by [email protected]
Dec. 16, 2024
Action Type Old Value New Value Changed Description File upload logic is flawed vulnerability in Apache Struts. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0, which fixes the issue. You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067 File upload logic is flawed vulnerability in Apache Struts. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Dec. 12, 2024
Action Type Old Value New Value Added CWE CWE-434 -
New CVE Received by [email protected]
Dec. 11, 2024
Action Type Old Value New Value Added Description File upload logic is flawed vulnerability in Apache Struts. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0, which fixes the issue. You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067 Added CVSS V4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:C/RE:L/U:Red Added Reference https://cwiki.apache.org/confluence/display/WW/S2-067