Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Members of public are advised to stay vigilant and not follow any instructions given by these scammers. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Critical Vulnerability in Apache Struts
Alerts

Critical Vulnerability in Apache Struts

13 December 2024

Apache has released security updates addressing a critical vulnerability (CVE-2024-53677) affecting their Struts 2 framework.

Successful exploitation of the path traversal vulnerability could allow an attacker to upload a malicious file which can be used to perform Remote Code Execution (RCE).

The vulnerability affects the following products:

  • Struts versions 2.0.0 to 2.3.37 (End-of-Life)

  • Struts versions 2.5.0 to 2.5.33

  • Struts versions 6.0.0 to 6.3.0.2

Users and administrators of affected product versions are advised to update to the latest versions immediately and use the new file upload mechanism ActionFileUploadInterceptor.

More information is available here:

https://cwiki.apache.org/confluence/plugins/servlet/mobile?contentId=327979397#content/view/327979397

https://struts.apache.org/core-developers/file-upload

https://nvd.nist.gov/vuln/detail/CVE-2024-53677