Summary
XSLTResult
can be used to parse arbitrary stylesheetWho should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Possible Remote Code Execution |
Maximum security rating | Moderate |
Recommendation | Always validate type and content of uploaded files, do not expose them directly in your web application. Alternatively upgrade to Struts 2.3.20.3, Struts 2.3.24.3 or Struts 2.3.28.1. |
Affected Software | Struts 2.0.0 - Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3) |
Reporter | GENXOR - genxors at gmail dot com - Qihoo 360 SkyEye Lab |
CVE Identifier | CVE-2016-3082 |
Problem
XSLTResult
allows for the location of a stylesheet being passed as a request parameter. In some circumstances this can be used to inject remotely executable code.
Solution
Always validate type and content of uploaded files. We encourage you to upgrade to one of the versions of the Apache Struts presented above.
Backward compatibility
No issues expected when upgrading to Struts 2.3.20.3, 2.3.24.3 and 2.3.28.1
Workaround
Implement your own XSLTResult
based on code of the recommended versions.