SummaryExtends excluded params in CookieInterceptor to avoid manipulation of Struts' internals
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Possibility to change internal state of session, request, etc
Maximum security rating
Developers should immediately upgrade to Struts 188.8.131.52
Struts 2.0.0 - Struts 184.108.40.206
Zubair Ashraf of IBM X-Force
CVE-2014-0116 - Struts' internals manipulation via CookieInterceptor
The excluded parameter pattern introduced in version 220.127.116.11 to block access to getClass() method didn't cover other cases and because of that attacker can change state of session, request and so on (when "*" is used to configure
In Struts 18.104.22.168 the same exclude patterns were used in CookieInterceptor which are available in ParametersInterceptor. If you don't use CookieInterceptor you are safe.
No backward compatibility problems are expected.