一、 漏洞 CVE-2024-53677 基础信息
漏洞信息
                                        # Apache Struts: 混合设置上传的文件和普通字段可以绕过文件上传检查

## 漏洞概述
Apache Struts中的文件上传逻辑存在缺陷。攻击者可以通过操纵文件上传参数实现路径遍历,并在某些情况下上传恶意文件,从而执行远程代码。

## 影响版本
- Apache Struts 2.0.0 至 6.4.0 之前的版本

## 细节
- 攻击者可以利用路径遍历漏洞上传恶意文件,进而执行远程代码。
- 此漏洞存在于旧版本的文件上传逻辑中,特别是在使用 `FileuploadInterceptor` 的情况下。

## 影响
- 建议用户至少升级到 6.4.0 版本,并迁移到新的文件上传机制:https://struts.apache.org/core-developers/file-upload。
- 如果没有使用基于 `FileuploadInterceptor` 的旧文件上传逻辑,应用是安全的。

更多细节参考:https://cwiki.apache.org/confluence/display/WW/S2-067
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks
来源:美国国家漏洞数据库 NVD
漏洞描述信息
File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in  https://cwiki.apache.org/confluence/display/WW/S2-067
来源:美国国家漏洞数据库 NVD
CVSS信息
N/A
来源:美国国家漏洞数据库 NVD
漏洞类别
N/A
来源:美国国家漏洞数据库 NVD
漏洞标题
Apache Struts 安全漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
Apache Struts是美国阿帕奇(Apache)基金会的一个开源项目,是一套用于创建企业级Java Web应用的开源MVC框架,主要提供两个版本框架产品,Struts 1和Struts 2。 Apache Struts 2.0.0版本至6.4.0之前版本存在安全漏洞,该漏洞源于文件上传逻辑缺陷。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
其他
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2024-53677 的公开POC
# POC 描述 源链接 神龙链接
1 s2-067(CVE-2024-53677) https://github.com/cloudwafs/s2-067-CVE-2024-53677 POC详情
2 A critical vulnerability, CVE-2024-53677, has been identified in the popular Apache Struts framework, potentially allowing attackers to execute arbitrary code remotely. This vulnerability arises from flaws in the file upload logic, which can be exploited to perform path traversal and malicious file uploads. https://github.com/TAM-K592/CVE-2024-53677-S2-067 POC详情
3 None https://github.com/yangyanglo/CVE-2024-53677 POC详情
4 A Docker-based environment to reproduce the CVE-2024-53677 vulnerability in Apache Struts 2. https://github.com/c4oocO/CVE-2024-53677-Docker POC详情
5 A critical vulnerability, CVE-2024-53677, has been identified in the popular Apache Struts framework, potentially allowing attackers to execute arbitrary code remotely. This vulnerability arises from flaws in the file upload logic, which can be exploited to perform path traversal and malicious file uploads. https://github.com/XiaomingX/CVE-2024-53677-S2-067 POC详情
6 None https://github.com/dustblessnotdust/CVE-2024-53677-S2-067-thread POC详情
7 None https://github.com/0xdeviner/CVE-2024-53677 POC详情
8 Struts Vulnerability - CVE-2024-53677 https://github.com/Q0LT/VM-CVE-2024-53677 POC详情
9 Proof-of-Concept for CVE-2024-46538 https://github.com/EQSTLab/CVE-2024-53677 POC详情
10 None https://github.com/0xPThree/struts_cve-2024-53677 POC详情
11 None https://github.com/punitdarji/Apache-struts-cve-2024-53677 POC详情
12 Vulnerable Environment and Exploit for CVE-2024-53677 https://github.com/SeanRickerd/CVE-2024-53677 POC详情
13 Apache Struts CVE-2024-53677 Exploitation https://github.com/hopsypopsy8/CVE-2024-53677-Exploitation POC详情
14 None https://github.com/shishirghimir/CVE-2024-53677-Exploit POC详情
15 None https://github.com/Threekiii/Awesome-POC/blob/master/%E4%B8%AD%E9%97%B4%E4%BB%B6%E6%BC%8F%E6%B4%9E/Apache%20Struts%20S2-067%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2024-53677.md POC详情
16 CVE-2024-53677 https://github.com/BuludX/CVE-2024-53677 POC详情
17 None https://github.com/r007sec/CVE-2024-53677 POC详情
三、漏洞 CVE-2024-53677 的情报信息
四、漏洞 CVE-2024-53677 的评论

暂无评论

发表评论