Remote Code Execution can be performed via
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Possible Remote Code Execution
Maximum security rating
Struts 2.3.20 - Struts Struts 2.3.28 (except 22.214.171.124 and 126.96.36.199)
Nike Zheng nike dot zheng at dbappsecurity dot com dot cn
It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when Dynamic Method Invocation is enabled.
Disable Dynamic Method Invocation when possible or upgrade to Apache Struts versions 188.8.131.52, 184.108.40.206 or 220.127.116.11.
No issues expected when upgrading to Struts 18.104.22.168, 22.214.171.124 and 126.96.36.199
Disable Dynamic Method Invocation or implement your own version of
ActionMapper based on a source code of the recommended Apache Struts versions.