...
Who should read this | All Struts 2 developers |
---|---|
Impact of vulnerability | Read access to server filesystem resources (under certain application server environments) |
Maximum security rating | Important |
Recommendation | Developers should upgrade to a minimum of Struts 2.0.12 or Struts 2.1.6 |
Affected Software | Struts 2.0.0 - 2.0.11.2 Struts 2.1.0 - 2.1.2 |
Original JIRA Ticket | |
Reporter | Csaba Barta and László Tóth, PricewaterhouseCoopers |
CVE Identifier | CVE-2008-6505 |
Problem
The Struts2 dispatcher logic by design allows to serve certain static resources found in the classpath of the web application for request URIs having a context relative path starting with "/struts/".
...