Summary
Extends excluded params in CookieInterceptor to avoid manipulation of Struts' internalsWho should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Possibility to change internal state of session, request, etc |
Maximum security rating | Moderate |
Recommendation | Developers should immediately upgrade to Struts 2.3.20 |
Affected Software | Struts 2.0.0 - Struts 2.3.16.3 |
Reporter | Zubair Ashraf of IBM X-Force |
CVE Identifier | CVE-2014-0116 - Struts' internals manipulation via CookieInterceptor |
Problem
The excluded parameter pattern introduced in version 2.3.16.2 to block access to getClass() method didn't cover other cases and because of that attacker can change state of session, request and so on (when "*" is used to configure cookiesName
param).
Solution
In Struts 2.3.20 the same exclude patterns were used in CookieInterceptor which are available in ParametersInterceptor. If you don't use CookieInterceptor you are safe.
Backward compatibility
No backward compatibility problems are expected.