Versions Compared

Old Version 1

changes.mady.by.user René Gielen

Saved on

compared with

New Version 2

changes.mady.by.user René Gielen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Manipulation of Struts' internals, altering of user sessionAffects of a cross-site scripting vulnerability.

Maximum security rating

HighMedium

Recommendation

Update regex used to excluded vulnerable incoming parameters. An Ugrade runtime JRE to a recent major version, preferably 1.8. Alternatively upgrade to Struts 2.3.24.1 is recommended.25

Affected Software

Struts 2.0.0 - Struts Struts 2.3.24.1

Reporter

rskvp93 at gmail dot com from Viettel Information Security CenterWhiteHat Security (whitehatsec.com)

CVE Identifier

CVE-2015-5209

Problem

ValueStack defines special top object which represents root of execution context. It can be used to manipulate Struts' internals or can be used to affect container's settings

...