...
Who should read this | All Struts 2 developers and users |
|---|---|
Impact of vulnerability | Permissions, Privileges, and Access Controls |
Maximum security rating | Important |
Recommendation | Developers should immediately upgrade to Struts 2.3.15.23 |
Affected Software | Struts 2.0.0 - Struts 2.3.15.1 2 |
Reporter | Zhangyan (L) Zhu Gang, Zhang Jin, Huawei PSIRT |
CVE Identifier |
...
The Struts 2 action mapping mechanism supports the special parameter prefix action: which is intended to help with attaching
navigational information to buttons within forms.
In Struts 2 before 2.3.15.23, under certain conditions this can be used to bypass security constraints. More details will available later on when the patch will be widely adopted.
Proof of concept
TBU
Solution
In Struts 2.3.15.2 3 the action mapping mechanism was changed to avoid circumventing security constraints. Another option is to write your own ActionMapper and completely drop Two additional constants were introduced to steer behaviour of DefaultActionMapper:
- struts.mapper.action.prefix.enabled - when set to false support for "action:" prefix
...
- is disabled, set to false by default
- struts.mapper.action.prefix.crossNamespaces - when set to false, actions defined with "action:" prefix must be in the same namespace as current action
| Note | ||
|---|---|---|
| ||
After upgrading to Struts >= 2.3.15.23, applications using the "action:" should still work as expectedwill stop working. You can use above constants to steer that behaviour. |
| Warning |
|---|
It is strongly recommended to upgrade to Struts 2.3.15.23, which contains the corrected Struts2-Core library. |