Confluence has been migrated and upgraded. Please file an INFRA ticket if you see any issues.

Child pages
  • S2-037
Skip to end of metadata
Go to start of metadata


Remote Code Execution can be performed when using REST Plugin.

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible Remote Code Execution

Maximum security rating



Upgrade to Struts 2.3.29.

Affected Software

Struts 2.3.20 - Struts Struts


Chao Jack PKAV_香草 jc1990999 at yahoo dot com

Shinsaku Nomura nomura at bitforest dot jp

CVE Identifier



It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when using the REST Plugin.


Upgrade to Apache Struts version 2.3.29.

Backward compatibility

Some backward incompatibility issues are expected when upgrading to Struts 2.3.29 - it can happen that some OGNL expressions stop working because of performing disallowed arithmetic operations and assigments.


Not possible as this fix requires changes in OGNL and how Struts uses OGNL in certain aspects.

  • No labels