Summary
| Excerpt |
|---|
Directory traversal vulnerability while serving static content |
Who should read this | All Struts 2 developers |
|---|---|
Impact of vulnerability | Read access to server filesystem resources (under certain application server environments) |
Maximum security rating | Important |
Recommendation | Developers should upgrade to a minimum of Struts 2.0.12 or Struts 2.1.6 |
Affected Software | Struts 2.0.0 - 2.0.11.2 Struts 2.1.0 - 2. |
1.2 | |
Original JIRA Ticket | |
|---|---|
Reporter | Csaba Barta and László Tóth, PricewaterhouseCoopers |
Problem
The Struts2 dispatcher logic by design allows to serve certain static resources found in the classpath of the web application for request URIs having a context relative path starting with "/struts/".
...
You can obtain Struts 2.0.12 as a drop in replacement for Struts 2.0.11.2 to get the fixed Struts 2 core library.
Within the Struts 2.1.x branch, upgrade to at least Struts 2.1.6.