9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute
arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2)
redirect:, or (3) redirectAction: prefix.
Author | Note |
---|---|
seth-arnold | Only affected Struts 2 The bulk of the patch appears to be in http://svn.apache.org/viewvc?view=revision&revision=1502979 Iβve reviewed libstruts1.2-java code and could not find analogous code in our codebase. |