SummaryPossible Remote Code Execution when using results with no namespace.
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Possible Remote Code Execution when using results with no namespace
Maximum security rating
Upgrade to Struts 2.3.35 or Struts 2.5.17
Struts 2.3 - Struts 2.3.34, Struts 2.5 - Struts 2.5.16
The unsupported Struts versions may be also affected
Man Yue Mo from the Semmle Security Research team
It is possible to perform a RCE attack when
namespace value isn't set for a result defined in underlying xml configurations.
Upgrade to Apache Struts version 2.3.35 or 2.5.17.
Both 2.3.35 and 2.5.17 versions contain the security fixes only, nothing more. No backward incompatibility issues are expected.
This is a temporal weak workaround. Please upgrade to Apache Struts version 2.3.35 or 2.5.17 ASAP because they also contain overall proactive security improvements
Verify that you have set (and always not forgot to set)
namespace (if is applicable) for your all defined results in underlying xml configurations.