An attacker can manipulate file upload params to enable paths traversal and under some circumstances this 
can lead to uploading a malicious file which can be used to perform Remote Code Execution.

Note: applications not using FileUploadInterceptor are safe.

S2-067

CVE-2024-53677

CA Client Automation - 14.5

According to this vulnerability documentation it's still awaiting analysis, but the recommendation is to 
upgrade the affected Apache Struts 2 web apps to versions 6.4.0 or greater and remove the deprecated 
file upload mechanism FileUploadInterceptor.  

Our web app uses the Struts2.5.33 with CU7 which would be deemed vulnerable only if the FileUploadInterceptor 
is used.   

After scanning the codebase for WAC, PM, CIC and AMS - The FileUploadInterceptor is not used, but we 
could be using it for the offline CIC Manager. 

CIC can be setup offline if the Client Automation's EM or DM servers does not have direct access to the internet. 
It allows users to download signatures on a remote machine, with internet access, and then Export, Copy and 
Import the signatures and patches into the Manager. If you're is not using the offline patching scenario, then 
CIC Manager can be stopped by executing CA\SC\CIC\Tomcat\bin\ShutdownCICManager.bat. 

Note:
The Dev team will work on the upgrade of Struts 2.5 to 6.x for the upcoming release in the 1st half of 2025.