Child pages
  • S2-036

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible Remote Code Execution vulnerability

Maximum security rating

Medium

Recommendation

Always validate incoming parameters' values when re-assigning them to certain Struts' tags attributes.

Don't use %{...} syntax in tag attributes other than value unless you have a valid use-case.

Alternatively upgrade to Struts 2.3.29 or Struts 2.5.1

Affected Software

Struts 2.0.0 - Struts 2.3.28.1

Reporters

Alvaro Munoz alvaro dot munoz at hpe.com

CVE Identifier

CVE-2016-07854461

Problem

The same issue was reported in S2-029 but the proposed solutions were not fully proper. The Apache Struts frameworks when forced, performs double evaluation of attributes' values assigned to certain tags so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered.

...