Japan Vulnerability NotesJVN:79099262JVN#79099262: Apache Struts 2 vulnerable to an arbitrary Java method execution
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.019 Low
EPSS
Percentile
88.3%
Apache Struts 2 is a framework to create Java web applications. Apache Struts 2 contains an arbitrary Java method execution vulnerability due to improper conversion in OGNL expression if a non-string property is contained in action.
Impact
If a remote attacker sends a malformed request parameter to a vulnerable system, an arbitrary Java method may be executed. As a result, information such as environment variables may be disclosed, a denial-of-service (DoS) attack may be conducted, or an arbitrary OS command may be executed.
Solution
Update the Software
Apply the latest version according to the information provided by the developer.
The fix for this issue was contained in Apache Struts 2.2.3.1 released on September 2011.
According to the developer, Apache Struts 2.0.x is no longer supported, thus it is strongly recommended that users should upgrade to Apache Struts 2.3.x.
Products Affected
- Apache Struts versions prior to 2.2.3
- Apache Struts versions 2.0.x
Related
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.019 Low
EPSS
Percentile
88.3%