This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • S2-048
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »


Possible RCE in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series

Who should read this

All Struts 2 developers and users should read this

Impact of vulnerability

Possible RCE when using the Struts 2 Struts 1 plugin

Maximum security rating



Please read the Solution section

Affected Software

Struts 2.3.x


icez <ic3z at qq dot com> from Tophant Competence Center

CVE Identifier



It is possible to perform a RCE attack with a malicious field value when using the Struts 2 Struts 1 plugin and it's a Struts 1 action and the value is a part of a message presented to the user, i.e. when using untrusted input as a part of the error message in the ActionMessage class.


Always use resource keys instead of passing a raw message to the ActionMessage as showed below, never pass a raw value directly

messages.add("msg", new ActionMessage("struts1.gangsterAdded", gform.getName()));

and never like this

messages.add("msg", new ActionMessage("Gangster " + gform.getName() + " was added"));

Backward compatibility

No backward incompatibility issues are expected.


  • No labels