Child pages
  • S2-027

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Who should read this

All Struts 2 developers

Impact of vulnerability

Remote Code Execution, when unsanitized user input is passed to the method by a developer

Maximum security rating

Low

Recommendation

Don't pass unsanitized input to the said method or ActionSupport's getText methods. An upgrade to Struts 2.3.24.1 is recommended.

Affected Software

Struts 2.0.0 - Struts Struts 2.3.16.3

Reporter

Huawei PSIRT Team

CVE Identifier

CVE-2016-3090

Problem

TextParseUtil.translateVariables evaluates a given String with OGNL. Before Struts 2.3.20, a specially crafted String incorporating ANTLR tooling can, when passed to said method, cause a remote code execution.

...