{ "threat_severity" : "Critical", "public_date" : "2024-12-11T15:35:43Z", "bugzilla" : { "description" : "struts: org.apache.struts: mixing setters for uploaded files and normal fields can allow bypass file upload checks", "id" : "2331686", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2331686" }, "cvss3" : { "cvss3_base_score" : "9.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "status" : "draft" }, "cwe" : "CWE-552", "details" : [ "File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.\nThis issue affects Apache Struts: from 2.0.0 before 6.4.0.\nUsers are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe.\nYou can find more details in  https://cwiki.apache.org/confluence/display/WW/S2-067", "A flaw was found in Apache Struts. Affected versions of this package are vulnerable to remote code execution (RCE) via manipulation of the file upload mechanism that enables path traversal. Under certain conditions, uploading a malicious file is possible and may then be executed on the server." ], "statement" : "No Red Hat products are affected by this vulnerability.", "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-core", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-taglib", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-tiles", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-core", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-taglib", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-tiles", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-core", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-taglib", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-tiles", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat build of Debezium 2", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-core", "cpe" : "cpe:/a:redhat:debezium:2" }, { "product_name" : "Red Hat build of Debezium 2", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-taglib", "cpe" : "cpe:/a:redhat:debezium:2" }, { "product_name" : "Red Hat build of Debezium 2", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-tiles", "cpe" : "cpe:/a:redhat:debezium:2" }, { "product_name" : "Red Hat Build of Keycloak", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-core", "cpe" : "cpe:/a:redhat:build_keycloak:" }, { "product_name" : "Red Hat Build of Keycloak", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-taglib", "cpe" : "cpe:/a:redhat:build_keycloak:" }, { "product_name" : "Red Hat Build of Keycloak", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-tiles", "cpe" : "cpe:/a:redhat:build_keycloak:" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-core", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-taglib", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-tiles", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-core", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-taglib", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-tiles", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "com.google.inject.extensions/guice-struts2", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts2-core", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-core", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-taglib", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-tiles", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "org.apache.struts.xwork/xwork-core", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-core", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-taglib", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-tiles", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-core", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-taglib", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-tiles", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "struts-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "opentelemetry-javaagent-struts-2.3", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "struts2-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "struts-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "struts-taglib", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "struts-tiles", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "xwork-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "io.opentelemetry.javaagent.instrumentation/opentelemetry-javaagent-struts-2.3", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts2-core", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-core", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-taglib", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-tiles", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "org.apache.struts.xwork/xwork-core", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-core", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-taglib", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-tiles", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat JBoss Web Server 5", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5" }, { "product_name" : "Red Hat JBoss Web Server 5", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-taglib", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5" }, { "product_name" : "Red Hat JBoss Web Server 5", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-tiles", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5" }, { "product_name" : "Red Hat JBoss Web Server 6", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6" }, { "product_name" : "Red Hat JBoss Web Server 6", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-taglib", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6" }, { "product_name" : "Red Hat JBoss Web Server 6", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-tiles", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-taglib", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-tiles", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-core", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-taglib", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-tiles", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-core", "cpe" : "cpe:/a:redhat:amq_streams:1" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-taglib", "cpe" : "cpe:/a:redhat:amq_streams:1" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Not affected", "package_name" : "org.apache.struts/struts-tiles", "cpe" : "cpe:/a:redhat:amq_streams:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-53677\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-53677\nhttps://cwiki.apache.org/confluence/display/WW/S2-067" ], "name" : "CVE-2024-53677", "csaw" : false }