Nuglaanta (CVE-2024-53677) ayaa lagu aqoonsaday qaab dhismeedka shabakadda Apache Struts, oo loo isticmaalay in lagu abuuro codsiyada mareegaha Java iyadoo la adeegsanayo jaantuska MVC (Model-View-Controller). Nuglaanta waxay u ogolaataa weeraryahan dibadeed inuu fayl u qoro meel aan loo meel dayin oo ku jirta nidaamka faylka ee serverka isagoo soo diraya codsi HTTP si gaar ah loo farsameeyay. Arrintu waxay saamaysaa sii-deynta 2.0.0 illaa 2.3.37, 2.5.0 illaa 2.5.33, iyo 6.0.0 illaa 6.3.0.2, waxayna ku dhacdaa codsiyada adeegsada qaybta FileUploadInterceptor ee server-ka gelinta faylka.
Nuglaanta waxaa sababa la'aanta xaqiijinta saxda ah ee xuduudaha la mariyo inta lagu jiro soo dejinta faylasha. Iyada oo la heli karo hawlaha soo dejinta faylasha ee is-dhexgalka shabakadda ee lagu hirgeliyay Apache Struts, weeraryahanku wuxuu qeexi karaa qiime sida "../../../../../../webapps/ROOT" oo wuxuu ku qasbi karaa faylka in lagu keydiyo meel ka baxsan galka soo dejinta (isticmaalka tusaalaha ah). Iyagoo helaya awoodda ay ku qoraan faylasha qaybo aan kala sooc lahayn oo ka mid ah nidaamka faylka, waxay fulin karaan amarro gaar ah. server, dib u qor qoraallo ama faylasha habaynta, ilaa inta ay ogol yihiin mudnaanta isticmaalaha ee uu ku shaqeynayo codsiga shabakadu. Haddii codsiga shabakadu uu ku shaqeynayo weel Apache Tomcat ah oo leh xuquuqaha xididka, weeraryahanku wuxuu heli karaa marin u helid gaar ah nidaamka.
Nuglaanta Apache Struts waa muhiim sababtoo ah qaabkani wuxuu caan ku yahay nidaamyada ganacsiga ee laga heli karo shabakadda. Marka loo eego tirakoobka RedMonk, qaabka Apache Struts waxaa loo adeegsaday codsiyada shabakadda 65% ee shirkadaha Fortune 100 2017, weerar lagu qaaday nidaamka macluumaadka Equifax iyadoo la adeegsanayo nooca nugul ee Apache Struts ayaa horseeday daadinta xogta shaqsiyeed ee 143. malaayiin Maraykan ah.
Source: opennet.ru
