SummaryPossible path traversal in the Convention plugin
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Possible path traversal in the Convention plugin in Struts 2.3.20 - 2.3.30
Maximum security rating
Struts 2.3.1 - 2.3.30
Struts 2.5 - 2.5.2
Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
It is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side.
Upgrade to Apache Struts version 2.3.31 or 2.5.5 when you are using with the Convention plugin.
No backward incompatibility issues are expected.
There is no known workaround for this vulnerability, please upgrade to the mentioned Struts versions.