Short Name |
HTTP:APACHE:INSEC-FILEUP-DESRI |
---|---|
Severity |
Major |
Recommended |
Yes |
Recommended Action |
Drop |
Category |
HTTP |
Keywords |
Apache Struts 2 Commons FileUpload Insecure Deserialization |
Release Date |
2019/01/28 |
Update Number |
3138 |
Supported Platforms |
srx-17.3+, srx-branch-17.4+, vsrx-15.1+, vsrx3bsd-18.2+ |
This signature detects attempts to exploit a known vulnerability against Apache Struts 2. This vulnerability is due to Apache Struts 2 having a dependency on a vulnerable version of Commons FileUpload. A remote attacker can exploit this vulnerability by sending a specially crafted serialized objects to an application using Apache Struts 2 that also has a suitable attack vector. Successful exploitation can result in arbitrary file upload withing the security context of the target application.
Per Apache: "Having reviewed your report we have concluded that it does not represent a valid vulnerability in Apache Commons File Upload. If an application deserializes data from an untrusted source without filtering and/or validation that is an application vulnerability not a vulnerability in the library a potential attacker might leverage."