Description
A Remote Code Execution (RCE) attack is possible in Apache Struts when alwaysSelectFullNamespace
is set to true
(either by the user or by a plugin like Convention Plugin), and certain conditions are met regarding the configuration of namespaces and packages. This vulnerability allows attackers to execute arbitrary code on the server.
Recommendation
To mitigate this vulnerability, it is recommended to upgrade to Apache Struts version 2.3.35 or 2.5.17, or newer versions.
References
- S2-057 - Apache Struts 2 Wiki
- Apache Struts
- CVE-2018-11776
- CWE-20
- CWE-78
- CAPEC-88
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6