Who should read this
All Struts 2 developers and users
Impact of vulnerability
If default settings are used, the attacker can compromise internal state of an application
Maximum security rating
Developers should immediately upgrade to Struts 188.8.131.52 or introduce the below change in framework's settings
Jasper Rosenberg at Cargurus
Wrong default exclude patterns were introduced in version 2.3.20 of Struts, if default settings are used, the attacker can compromise internal application's state.