...
Excerpt |
---|
Wrong |
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | If default settings are used, the attacker can compromise internal state of an application |
Maximum security rating |
Moderate | |
Recommendation | Developers should immediately upgrade to Struts 2.3.20.1 or introduce the below change in framework's settings |
---|---|
Affected Software | Struts 2.3.20 |
Reporter | Jasper Rosenberg at Cargurus |
CVE Identifier | CVE-2015-1831 |
Problem
Wrong default exclude patterns were introduced in version 2.3.20 of Struts, if default settings are used, the attacker can compromise internal application's state.
...