CVE-2024-53677 refers to a security vulnerability in Apache Struts, a popular open-source web application framework. The vulnerability arises from a flaw in the file upload mechanism of Apache Struts, specifically within the FileUploadInterceptor component. This flaw allows attackers to manipulate file upload parameters to perform path traversal attacks, enabling them to upload malicious files to unauthorized directories. In certain scenarios, this can lead to remote code execution (RCE), granting attackers the ability to execute arbitrary code on the affected system

PRODUCT(S) AFFECTED: Identity Governance and Administration Suite 14.5, 14.5.1 and all EOS versions.

SYMPTOMS:
Exploitation of this vulnerability may not present obvious symptoms to system administrators. However, potential indicators include:

• Unexpected files appearing in directories that should be restricted.
• Unexplained changes in system behavior or performance.
• Unauthorized execution of code or commands.

IMPACT:
Successful exploitation of CVE-2024-53677 can have severe consequences, including:

• Unauthorized access to sensitive data.
• Compromise of the entire system through remote code execution.
• Potential for attackers to gain further access within the network, leading to broader organizational risks.

WORKAROUND 
There is no workaround for this vulnerability. The recommended solution is to upgrade Apache Struts to version 6.4 or later.

The vulnerability affects only the Identity Manager Management Console. To resolve this issue, Apache Struts has been upgraded from version 2.x to 6.7 in the affected component

• Apply the Identity Manager Management Console hotfix for supported versions.
• For End-of-Support (EOS) versions, please upgrade to the latest version of IGA.