You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »


Possible Remote Code Execution when using results with no namespace.

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible Remote Code Execution when using results with no namespace

Maximum security rating



Upgrade to Struts 2.3.35 or Struts 2.5.17

Affected Software

Struts 2.3 - Struts 2.3.34, Struts 2.5 - Struts 2.5.16

The unsupported Struts versions may be also affected


Man Yue Mo from the Semmle Security Research team

CVE Identifier



It is possible to perform a RCE attack when namespace value isn't set for a result defined in underlying xml configurations.


Upgrade to Apache Struts version 2.3.35 or 2.5.17.

Backward compatibility

Both 2.3.35 and 2.5.17 versions contain the security fixes only, nothing more. No backward incompatibility issues are expected.


This is a temporal weak workaround. Please upgrade to Apache Struts version 2.3.35 or 2.5.17 ASAP because they also contain overall proactive security improvements

Verify that you have set (and always not forgot to set) namespace (if is applicable) for your all defined results in underlying xml configurations.

  • No labels