Share
## https://sploitus.com/exploit?id=SAINT:4F35F0E051C2B62FD6C3CB3CFF2DEA19
Added: 12/20/2024  


### Background

Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. 

### Problem

A directory traversal vulnerability in Apache Struts allows remote attackers to upload files to arbitrary locations, leading to command execution. 

### Resolution

Upgrade to Struts 6.4.0 or higher and migrate to the new file upload mechanism. 

### References

https://cwiki.apache.org/confluence/display/WW/S2-067   
https://isc.sans.edu/diary/31520   


### Limitations

The vulnerability can only be exploited if a Struts application allows file uploads. 

On success, this exploit creates a JSP file under the root web application which must be manually removed from the target.