Apache Struts Exclude mode Vulnerability(CVE-2 0 1 5-1 8 3 1)-vulnerability warning-the black bar safety net

2015-05-13T00:00:00
ID MYHACK58:62201562330
Type myhack58
Reporter 佚名
Modified 2015-05-13T00:00:00

Description

Affected system:

> The Apache Group Struts 2.3.20

Not affected system:

> The Apache Group Struts 2.3.20.1

Description:


CVE(CAN) ID: CVE-2 0 1 5-1 8 3 1

Struts is for building Web applications of open source.

Struts 2.3.20 using the wrong default the exclude mode, If enabled the default setting, the error of the excludeParams will cover DefaultExcludedPatternsChecker within the defined content, an attacker using this vulnerability can destroy the application's internal state.

<*source: Jasper Rosenberg

Link:<http://secunia.com/advisories/64369/> *>

Recommendations:


Manufacturers patch:

The Apache Group

The current vendors have released an upgrade patch to fix this security issue, please go to the manufacturers home page download:

<http://struts.apache.org/docs/s2-024.html> <http://struts.apache.org/download.cgi#struts23201>