Remote Code Execution can be performed via
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Possible Remote Code Execution
Maximum security rating
Struts 2.3.20 - Struts Struts 2.3.28 (except 188.8.131.52 and 184.108.40.206)
Nike Zheng nike dot zheng at dbappsecurity dot com dot cn
It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when Dynamic Method Invocation is enabled.
Disable Dynamic Method Invocation when possible or upgrade to Apache Struts versions 220.127.116.11, 18.104.22.168 or 22.214.171.124.
No issues expected when upgrading to Struts 126.96.36.199, 188.8.131.52 and 184.108.40.206
Disable Dynamic Method Invocation or implement your own version of
ActionMapper based on a source code of the recommended Apache Struts versions.