Detections
Analytics
Apache Struts < 6.4.0 Unrestricted File Upload (S2-067)
critical Web App Scanning Plugin ID 114549
Language:
Synopsis
Apache Struts < 6.4.0 Unrestricted File Upload (S2-067)Description
Apache Struts versions prior to 6.4.0 are vulnerable to an upload logic flaw allowing an attacker to manipulate file upload parameters to enable path traversal and under some circumstances this can lead to a remote code execution.Solution
Refer to the S2-067 vendor advisory for mitigation options.See Also
Plugin Details
Severity: Critical
ID: 114549
Type: remote
Family: Component Vulnerability
Published: 1/6/2025
Updated: 1/7/2025
Scan Template: basic, full, pci, scan
Risk Information
VPR
Risk Factor: Critical
Score: 9.4
CVSS v2
Risk Factor: High
Base Score: 7.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2024-53677
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score Source: CVE-2024-53677
CVSS v4
Risk Factor: Critical
Base Score: 9.5
Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score Source: CVE-2024-53677
Vulnerability Information
CPE: cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 11/21/2024
Vulnerability Publication Date: 11/21/2024
Reference Information
CVE: CVE-2024-53677
CWE: 434
OWASP: 2010-A4, 2013-A4, 2013-A9, 2017-A5, 2017-A9, 2021-A4, 2021-A6
WASC: Improper Input Handling
CAPEC: 1
DISA STIG: APSC-DV-002560, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.12.6.1, 27001-A.14.2.5
NIST: sp800_53-CM-6b, sp800_53-SC-6
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-12.5.2, 4.0.2-14.2.1