This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • S2-032

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible Remote Code Execution

Maximum security rating



Disable Dynamic Method Invocation if possible. Alternatively upgrade to Struts, Struts or Struts

Affected Software

Struts 2.03.0 20 - Struts Struts 2.3.28 (except 3 and


Nike Zheng nike dot zheng at dbappsecurity dot com dot cn

CVE Identifier



Disable Dynamic Method Invocation when possible or upgrade to Apache Struts versions, 3 or

Backward compatibility

No issues expected when upgrading to Struts, 3 and


Disable Dynamic Method Invocation or implement your own version of ActionMapper based on a source code of the recommended Apache Struts versions.