Remote Code Execution can be performed via
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Possible Remote Code Execution
Maximum security rating
Struts 2.3.20 - Struts Struts 2.3.28 (except 126.96.36.199 and 188.8.131.52)
Nike Zheng nike dot zheng at dbappsecurity dot com dot cn
It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when Dynamic Method Invocation is enabled.
Disable Dynamic Method Invocation when possible or upgrade to Apache Struts versions 184.108.40.206, 220.127.116.11 or 18.104.22.168.
No issues expected when upgrading to Struts 22.214.171.124, 126.96.36.199 and 188.8.131.52
Disable Dynamic Method Invocation or implement your own version of
ActionMapper based on a source code of the recommended Apache Struts versions.