Who should read this
All Struts 2 developers
Impact of vulnerability
Remote Code Execution, when unsanitized user input is passed to the method by a developer
Maximum security rating
Don't pass unsanitized input to the said method or ActionSupport's getText methods. An upgrade to Struts 126.96.36.199 is recommended.
Struts 2.0.0 - Struts Struts 188.8.131.52
Huawei PSIRT Team
TextParseUtil.translateVariables evaluates a given String with OGNL. Before Struts 2.3.20, a specially crafted String incorporating ANTLR tooling can, when passed to said method, cause a remote code execution.