In a recent discovery, a vulnerability was found in the popular Web framework Apache Struts, which is commonly used to develop Java applications following the Model-View-Controller (MVC) paradigm. The vulnerability, identified as CVE-2024-53677, allows an external attacker to write a file to any location on the server’s file system by sending a specially crafted HTTP request. The affected versions range from 2.0.0 to 2.3.37, 2.5.0 to 2.5.33, and 6.0.0 to 6.3.0.2, particularly in applications utilizing the component FileuploadinterCeptor for server file downloads.
The vulnerability stems from a lack of proper parameter verification during file uploads. Exploiting the file download functionality in Apache Struts’ Web interface can enable an attacker to place files outside the designated directory for uploaded data storage. Once granted the ability to write files to arbitrary locations on the file system, an attacker can execute commands on the server by tampering with scripts or configuration files, depending on the permissions of the Web application’s user. If the Web application operates within an Apache Tomcat container with Root privileges, the attacker could potentially gain elevated access to the system.
This vulnerability in Apache Struts is significant due to the framework’s widespread use in corporate Web systems. According to a report by RedMonk, Apache Struts is utilized in the web applications of 65% of companies listed in the Fortune 100. In a notable incident in 2017, a cyber attack on the Equifax information system exploited a vulnerable version of Apache Struts, resulting in the compromise of personal data belonging to 143 million U.S. residents.