...
Who should read this | All Struts 2 developers |
---|---|
Impact of vulnerability | Remote command execution and arbitrary file overwrite, Strict DMI does not work correctly |
Maximum security rating | Critical |
Recommendation | Developers should immediately upgrade to at least Struts 2.3.18 or read the following solution instructions carefully for a configuration change to mitigate the vulnerability |
Affected Software | Struts 2.0.0 - Struts 2.3.17 |
Original JIRA Ticket | |
Reporter | Johannes Dahse, SEC Consult Vulnerability Lab and Bruce Phillips (blog post) |
CVE Identifier | CVE-2012-0391, CVE-2012-0392, CVE-2012-0393, CVE-2012-0394 |
Original Description | Reported directly to security@struts.a.o and Struts 2 Security Vulnerability - Dynamic Method Invocation |
...