This site is deprecated. Please
CLICK HERE for latest updates
Short Name |
HTTP:APACHE:STRUTS2-PI-RCE
|
Severity |
Critical
|
Recommended |
No
|
Recommended Action |
Drop
|
Category |
HTTP
|
Keywords |
Apache Struts2 ParametersInterceptor Remote Command Execution
|
Release Date |
2010/09/28
|
Update Number |
1780
|
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+
|
HTTP: Apache Struts2 ParametersInterceptor Remote Command Execution
This signature detects attempts to exploit a known vulnerability against Apache Struts2. A successful attack can lead to arbitrary code execution.
Extended Description
XWork is prone to a security-bypass vulnerability because it fails to adequately handle user-supplied input.
Attackers can exploit this issue to manipulate server-side context objects with the privileges of the user running the application. Successful exploits can compromise the application and possibly the underlying computer.
This issue is related to the vulnerability documented in BID 32101 (XWork 'ParameterInterceptor' Class OGNL Security Bypass Vulnerability); the implemented solution appears to have been incomplete.
Affected Products
- Apache_software_foundation struts 2.0.0
- Apache_software_foundation struts 2.0.1
- Apache_software_foundation struts 2.0.11.1
- Apache_software_foundation struts 2.0.11 .2
- Apache_software_foundation struts 2.0.12
- Apache_software_foundation struts 2.0.2
- Apache_software_foundation struts 2.0.3
- Apache_software_foundation struts 2.0.4
- Apache_software_foundation struts 2.0.5
- Apache_software_foundation struts 2.0.6
- Apache_software_foundation struts 2.0.7
- Apache_software_foundation struts 2.0.8
- Apache_software_foundation struts 2.0.9
- Apache_software_foundation struts 2.1.0
- Apache_software_foundation struts 2.1.1
- Apache_software_foundation struts 2.1.8
- Apache_software_foundation struts 2.1.8.1
- Atlassian crucible 2.2.3
- Atlassian crucible 2.3.2
- Atlassian fisheye 2.2.3
- Atlassian fisheye 2.3.4
- Opensymphony xwork 2.0.1
- Opensymphony xwork 2.0.2
- Opensymphony xwork 2.0.3
- Opensymphony xwork 2.0.4
- Opensymphony xwork 2.0.5
- Opensymphony xwork 2.0.6
- Opensymphony xwork 2.1.0
- Opensymphony xwork 2.1.5
- Vmware vcenter_orchestrator 4.0
- Vmware vcenter_orchestrator 4.1
References