Action name clean up is error prone
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Possible way to craft vulnerable payload
Maximum security rating
Upgrade to latest version of the Apache Struts, 2.3.29 or 2.5.1.
Struts 2.0.0 - Struts 18.104.22.168
Alvaro Munoz alvaro dot munoz at hpe dot com
Sam Ng samn at hpe dot com
The method used to clean up action name can produce vulnerable payload based on crafted input which can be used by attacker to perform unspecified attack.
You should upgrade to latest Struts version or implement your own version of
ActionMapper based on source code of receomened Struts versions.
No issues expected when upgrading Struts version.
Implement your own version of clean up method which will throw an exception.