Danger actors are making an attempt to milk a lately disclosed safety flaw impacting Apache Struts that might pave the way in which for far off code execution.
The problem, tracked as CVE-2024-53677, carries a CVSS rating of 9.5 out of 10.0, indicating crucial severity. The vulnerability stocks similarities with some other crucial malicious program the undertaking maintainers addressed in December 2023 (CVE-2023-50164, CVSS rating: 9.8), which additionally got here below lively exploitation in a while after public disclosure.
“An attacker can manipulate document add params to permit paths traversal and below some cases this may end up in importing a malicious document which can be utilized to accomplish Faraway Code Execution,” in keeping with the Apache advisory.
In different phrases, a success exploitation of the flaw may permit a malicious actor to add arbitrary payloads to vulnerable cases, which might then be leveraged to run instructions, exfiltrate knowledge, or obtain further payloads for follow-on exploitation.
The vulnerability affects the next variations, and has been patched in Struts 6.4.0 or larger –
- Struts 2.0.0 – Struts 2.3.37 (Finish-of-Lifestyles),
- Struts 2.5.0 – Struts 2.5.33, and
- Struts 6.0.0 – Struts 6.3.0.2
Dr. Johannes Ullrich, dean of study for SANS Era Institute, mentioned that an incomplete patch for CVE-2023-50164 will have resulted in the brand new downside, including exploitation makes an attempt matching the publicly-released proof-of-concept (PoC) were detected within the wild.
“At this level, the exploit makes an attempt are making an attempt to enumerate prone methods,” Ullrich famous. “Subsequent, the attacker makes an attempt to seek out the uploaded script. Thus far, the scans originate most effective from 169.150.226[.]162.”
To mitigate the chance, customers are really helpful to improve to the newest model once imaginable and rewrite their code to make use of the brand new Motion Record Add mechanism and similar interceptor.
“Apache Struts sits on the middle of many company IT stacks, using public-facing portals, inner productiveness programs, and significant industry workflows,” Saeed Abbasi, product supervisor of Danger Analysis Unit at Qualys, mentioned. “Its recognition in high-stakes contexts implies that a vulnerability like CVE-2024-53677 will have far-reaching implications.”