Child pages
  • S2-027
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Summary

TextParseUtil.translateVariables does not filter malicious OGNL expressions

Who should read this

All Struts 2 developers

Impact of vulnerability

Remote Code Execution, when unsanitized user input is passed to the method by a developer

Maximum security rating

Low

Recommendation

Don't pass unsanitized input to the said method or ActionSupport's getText methods. An upgrade to Struts 2.3.24.1 is recommended.

Affected Software

Struts 2.0.0 - Struts Struts 2.3.16.3

Reporter

Huawei PSIRT Team

CVE Identifier

-

Problem

TextParseUtil.translateVariables evaluates a given String with OGNL. Before Struts 2.3.20, a specially crafted String incorporating ANTLR tooling can, when passed to said method, cause a remote code execution.

The Struts 2 framework does not pass any user modifiable input to this method, neither directly nor indirectly. However, a developer crafting a Struts based web application might pass unsanitized user input to TextParseUtil.translateVariables or ActionSupport's getText methods. In that case a RCE exploitation might be possible.

Solution

  • don't pass unsanitized user input to framework methods that include OGNL expression evaluation
  • upgrade to Struts 2.3.24.1. Since Struts 2.3.20 advanced filtering was applied to this and similar methods involving OGNL evaluation.

 

  • No labels