{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-53677", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-11-21T17:02:02.847Z", "datePublished": "2024-12-11T15:35:43.389Z", "dateUpdated": "2025-01-03T12:04:30.841Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.struts:struts2-core", "product": "Apache Struts", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "6.4.0", "status": "affected", "version": "2.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>File upload logic in Apache Struts is flawed.&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.</span></p><p>This issue affects Apache Struts: from 2.0.0 before 6.4.0.</p><p>Users are recommended to upgrade to version 6.4.0 at least and <span style=\"background-color: rgb(255, 255, 255);\">migrate to the new </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://struts.apache.org/core-developers/file-upload\">file upload mechanism</a><span style=\"background-color: rgb(255, 255, 255);\">. If you are not using an old file upload logic based on&nbsp;<b>FileuploadInterceptor</b>&nbsp;your application is safe.</span></p>You can find more details in&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://cwiki.apache.org/confluence/display/WW/S2-067\">https://cwiki.apache.org/confluence/display/WW/S2-067</a>"}], "value": "File upload logic in Apache Struts is flawed.\u00a0An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.\n\nThis issue affects Apache Struts: from 2.0.0 before 6.4.0.\n\nUsers are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on\u00a0FileuploadInterceptor\u00a0your application is safe.\n\nYou can find more details in\u00a0 https://cwiki.apache.org/confluence/display/WW/S2-067"}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "AUTOMATIC", "Safety": "NEGLIGIBLE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 9.5, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "RED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:Y/R:A/V:C/RE:L/U:Red", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"description": "File upload logic is flawed", "lang": "en"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-12-20T15:50:38.224Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://cwiki.apache.org/confluence/display/WW/S2-067"}], "source": {"advisory": "S2-067", "discovery": "EXTERNAL"}, "title": "Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-434", "lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-16T00:00:00+00:00", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2024-53677"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-18T04:55:35.587Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20250103-0005/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-01-03T12:04:30.841Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20250103-0005/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-01-03T12:04:30.841Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-53677", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-12-12T15:19:19.829131Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-12T15:19:47.605Z"}}], "cna": {"title": "Apache Struts: Mixing setters for uploaded files and normal fields can allow bypass file upload checks", "source": {"advisory": "S2-067", "discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "AUTOMATIC", "baseScore": 9.5, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:Y/R:A/V:C/RE:L/U:Red", "providerUrgency": "RED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Struts", "versions": [{"status": "affected", "version": "2.0.0", "lessThan": "6.4.0", "versionType": "semver"}], "packageName": "org.apache.struts:struts2-core", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://cwiki.apache.org/confluence/display/WW/S2-067", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "File upload logic in Apache Struts is flawed.\u00a0An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.\n\nThis issue affects Apache Struts: from 2.0.0 before 6.4.0.\n\nUsers are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on\u00a0FileuploadInterceptor\u00a0your application is safe.\n\nYou can find more details in\u00a0 https://cwiki.apache.org/confluence/display/WW/S2-067", "supportingMedia": [{"type": "text/html", "value": "<p>File upload logic in Apache Struts is flawed.&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.</span></p><p>This issue affects Apache Struts: from 2.0.0 before 6.4.0.</p><p>Users are recommended to upgrade to version 6.4.0 at least and <span style=\"background-color: rgb(255, 255, 255);\">migrate to the new </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://struts.apache.org/core-developers/file-upload\">file upload mechanism</a><span style=\"background-color: rgb(255, 255, 255);\">. If you are not using an old file upload logic based on&nbsp;<b>FileuploadInterceptor</b>&nbsp;your application is safe.</span></p>You can find more details in&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://cwiki.apache.org/confluence/display/WW/S2-067\">https://cwiki.apache.org/confluence/display/WW/S2-067</a>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "File upload logic is flawed"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-12-20T15:50:38.224Z"}}}, "cveMetadata": {"cveId": "CVE-2024-53677", "state": "PUBLISHED", "dateUpdated": "2025-01-03T12:04:30.841Z", "dateReserved": "2024-11-21T17:02:02.847Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-12-11T15:35:43.389Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*", "matchCriteriaId": "BAB5D8EE-6237-4CB6-B363-E1B6982E44EE", "versionEndExcluding": "6.4.0", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "File upload logic in Apache Struts is flawed.\u00a0An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.\n\nThis issue affects Apache Struts: from 2.0.0 before 6.4.0.\n\nUsers are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on\u00a0FileuploadInterceptor\u00a0your application is safe.\n\nYou can find more details in\u00a0 https://cwiki.apache.org/confluence/display/WW/S2-067"}, {"lang": "es", "value": "La l\u00f3gica de carga de archivos es una vulnerabilidad defectuosa en Apache Struts. Este problema afecta a Apache Struts: desde la versi\u00f3n 2.0.0 hasta la 6.4.0. Se recomienda a los usuarios que actualicen a la versi\u00f3n 6.4.0, que soluciona el problema. Puede encontrar m\u00e1s detalles en https://cwiki.apache.org/confluence/display/WW/S2-067"}], "id": "CVE-2024-53677", "lastModified": "2025-07-15T16:30:19.423", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "AUTOMATIC", "Safety": "NEGLIGIBLE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.5, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "RED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:C/RE:L/U:Red", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "source": "security@apache.org", "type": "Secondary"}]}, "published": "2024-12-11T16:15:14.593", "references": [{"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://cwiki.apache.org/confluence/display/WW/S2-067"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20250103-0005/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "struts: org.apache.struts: mixing setters for uploaded files and normal fields can allow bypass file upload checks", "id": "2331686", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2331686"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-552", "details": ["File upload logic in Apache Struts is flawed.\u00a0An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.\nThis issue affects Apache Struts: from 2.0.0 before 6.4.0.\nUsers are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on\u00a0FileuploadInterceptor\u00a0your application is safe.\nYou can find more details in\u00a0 https://cwiki.apache.org/confluence/display/WW/S2-067", "A flaw was found in Apache Struts. Affected versions of this package are vulnerable to remote code execution (RCE) via manipulation of the file upload mechanism that enables path traversal. Under certain conditions, uploading a malicious file is possible and may then be executed on the server."], "name": "CVE-2024-53677", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-core", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-taglib", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-tiles", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-core", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-taglib", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-tiles", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-core", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-taglib", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-tiles", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-core", "product_name": "Red Hat build of Debezium 2"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-taglib", "product_name": "Red Hat build of Debezium 2"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-tiles", "product_name": "Red Hat build of Debezium 2"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-core", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-taglib", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-tiles", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-core", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-taglib", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-tiles", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-core", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-taglib", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-tiles", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "com.google.inject.extensions/guice-struts2", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "org.apache.struts/struts2-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-taglib", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-tiles", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "org.apache.struts.xwork/xwork-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-core", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-taglib", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-tiles", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-core", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-taglib", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-tiles", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "struts-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "opentelemetry-javaagent-struts-2.3", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "struts2-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "struts-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "struts-taglib", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "struts-tiles", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "xwork-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "io.opentelemetry.javaagent.instrumentation/opentelemetry-javaagent-struts-2.3", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.apache.struts/struts2-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-taglib", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-tiles", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.apache.struts.xwork/xwork-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-core", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-taglib", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-tiles", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-core", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-taglib", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-tiles", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-core", "product_name": "Red Hat JBoss Web Server 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-taglib", "product_name": "Red Hat JBoss Web Server 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-tiles", "product_name": "Red Hat JBoss Web Server 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-core", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-taglib", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-tiles", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-core", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-taglib", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-tiles", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-core", "product_name": "streams for Apache Kafka"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-taglib", "product_name": "streams for Apache Kafka"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Not affected", "package_name": "org.apache.struts/struts-tiles", "product_name": "streams for Apache Kafka"}], "public_date": "2024-12-11T15:35:43Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-53677\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-53677\nhttps://cwiki.apache.org/confluence/display/WW/S2-067"], "statement": "No Red Hat products are affected by this vulnerability.", "threat_severity": "Critical"}

{"created": "2025-07-12T15:42:29.854882+00:00", "updated": "2025-07-12T15:42:29.854942+00:00", "vendors": ["apache", "apache$PRODUCT$struts"]}