Bug 2331686 (CVE-2024-53677)

Summary: CVE-2024-53677 struts: org.apache.struts: mixing setters for uploaded files and normal fields can allow bypass file upload checks
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: adupliak, aschwart, asoldano, ataylor, bbaranow, bmaxwell, boliveir, brian.stansberry, ccranfor, cdewolf, chazlett, chfoley, cmiranda, csutherl, darran.lofthouse, dbruscin, dhanak, dkreling, dosoudil, drichtar, drosa, ecerquei, fjuma, fmariani, gmalinko, ibek, istudens, ivassile, iweiss, janstey, jclere, jkoops, jpechane, jpoth, jrokos, jscholz, kvanderr, kverlaen, lgao, mnovotny, mosmerov, mposolda, msochure, msvehla, nwallace, pbizzarr, pcongius, pdelbell, pdrozd, peholase, pesilva, pjindal, plodge, pmackay, pskopek, rguimara, rkieley, rmartinc, rowaters, rstancel, rstepani, saroy, sausingh, smaestri, ssilvert, sthorger, swoodman, szappis, tcunning, tom.jenkinson, vmuzikar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Struts. Affected versions of this package are vulnerable to remote code execution (RCE) via manipulation of the file upload mechanism that enables path traversal. Under certain conditions, uploading a malicious file is possible and may then be executed on the server.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2024-12-11 16:02:48 UTC 
File upload logic is flawed vulnerability in Apache Struts.

This issue affects Apache Struts: from 2.0.0 before 6.4.0.

Users are recommended to upgrade to version 6.4.0, which fixes the issue.

You can find more details inĀ  https://cwiki.apache.org/confluence/display/WW/S2-067
Comment 2 Chess Hazlett 2024-12-11 21:50:14 UTC 
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.

Note: application not using FileUploadInterceptor are safe.