It is possible to bypass token validation and perform a CSRF attack
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Possible CSRF attack
Maximum security rating
Upgrade to Struts 2.3.29.
Struts 2.3.20 - Struts Struts 188.8.131.52
Takeshi Terada websec02 dot g02 at gmail.com
It is possible to pass a malicious expression which can be used to bypass token validation and perform CSRF attack.
Upgrade to Apache Struts version 2.3.29.
Some backward incompatibility issues are expected when upgrading to Struts 2.3.29 - it can happen that some OGNL expressions stop working because of performing disallowed arithmetic operations and assignments.
You can try to use more restrictive RegEx used to clean up action names as below:
<constant name="struts.allowed.action.names" value="[a-zA-Z]*" />
Please adjust the RegEx to your action naming pattern, it should be as narrowed as possible.