Attackers can exploit the CVE-2024-53677use this flaw to upload malicious files by exploiting path traversal vulnerabilities. This makes it imperative to patch systems immediately or switch to alternative upload mechanisms.

Is Symantec VIP vulnerable to this CVE-2024-53677​?

VIP Service

VIP Enterprise Gateway

CVE-2024-53677 is a critical vulnerability affecting Apache Struts versions 2.0.0 through 6.3.0.2. This issue arises from flawed file upload logic, which allows attackers to manipulate file upload parameters and potentially execute remote code. The vulnerability involves CWE-434 (Unrestricted Upload of File with Dangerous Type), enabling attackers to bypass file upload checks under certain conditions.

It is identified that the Applications not using FileUploadInterceptor and Struts 6.4.0 or greater are not Vulnerable

Symantec VIP product does not use the FileUploadInterceptor and hence not vulnerable.

For further information, see the official Apache Struts advisory: Apache Struts S2-067