Summary
Cross-Site Scripting Vulnerability in Debug ModeWho should read this | All Struts 2 developers and users |
|---|---|
Impact of vulnerability | Affects of a cross-site scripting vulnerability when debug mode is switched on in production environment. |
Maximum security rating | Low |
Recommendation | Turn off debug mode in production environment. An upgrade to Struts 2.3.20 is recommended. |
Affected Software | Struts 2.0.0 - Struts Struts 2.3.16.3 |
Reporter | Taki Uchiyama, JPCERT/CC |
CVE Identifier | CVE-2015-5169 |
Problem
When the Struts2 debug mode is turned on, under certain conditions an arbitrary script may be executed in the 'Problem Report' screen.
Solution
It is generally not advisable to have debug mode switched on outside of the development environment. Debug mode should always be turned off in production setup. Also never expose JSPs files directly and hide them inside WEB-INF folder or define dedicated security constraints to block access to raw JSP files. Please also ready our Security guide - it contains useful informations how to secure your application.
Struts >= 2.3.20 is not vulnerable to this attack. We recommend upgrading to Struts 2.3.20 or higher.
Backward compatibility
No backward compatibility problems are expected.
Workaround
Upgrade to Struts 2.3.20