Child pages
  • S2-024

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Excerpt

Wrong excludeParams overrides those defined in DefaultExcludedPatternsChecker


Who should read this

All Struts 2 developers and users

Impact of vulnerability

If default settings are used, the attacker can compromise internal state of an application

Maximum security rating

Medium

Moderate

Recommendation

Developers should immediately upgrade to Struts 2.3.20.1 or introduce the below change in framework's settings

Affected Software

Struts 2.3.20

Reporter

Jasper Rosenberg at Cargurus

CVE Identifier

CVE-2015-1831

Problem

Wrong default exclude patterns were introduced in version 2.3.20 of Struts, if default settings are used, the attacker can compromise internal application's state.

...