...
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Dynamic method executions |
Maximum security rating | Important |
Recommendation | Developers should immediately upgrade to Struts 2.3.15.2 |
Affected Software | Struts 2.0.0 - Struts 2.3.15.1 |
Reporter | Direct mail to security@struts.apache.org shine@wooyun.org, HelloWorld security team |
CVE Identifier |
...
Dynamic Method Invocation is a know vulnerable mechanismmechanism known to impose possible security vulnerabilities, but till until now it was enabled by default with warning that users should switch it off if possible.
...
Note | ||
---|---|---|
| ||
Disabling Dynamic Method Invocation can break your application if it uses DMI heavily. Nevertheless, please consider to refactor your application to avoid DMI. |
Warning |
---|
It is strongly recommended to upgrade to Struts 2.3.15.2, which contains the corrected Struts2-Core library. |