ГлавнаяУязвимости → CVE-2024-53677
9.8критическая

CVE-2024-53677

→ есть в БДУ: BDU:2024-11084 (на русском)
Описание (на английском; русское — в БДУ выше)

File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in  https://cwiki.apache.org/confluence/display/WW/S2-067

Затрагиваемое ПО
Apache Struts
CVSS
Балл9.8 — критическая
ВекторCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Источники
https://cwiki.apache.org/confluence/display/WW/S2-067https://security.netapp.com/advisory/ntap-20250103-0005/