Apache Struts OGNL expression RCE S2-057

Impact: High

Description

It is possible to perform a RCE attack when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: namespace value isn’t set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace and same possibility when using url tag which doesn’t have value and action set and in same time, its upper package configuration have no or wildcard namespace.

Recommendation

Upgrade to Apache Struts version 2.3.35 or 2.5.17 or newer version.

References

S2-057 - Apache Struts 2 Wiki
Apache Struts
CVE-2018-11776
CWE-77
OWASP 2017-A1
OWASP 2021-A3
CWE-20
OWASP 2017-A9
OWASP 2021-A6

👉 You might also like:

Apache Struts 2 Forced double OGNL evaluation S2-059 - CVE-2019-0230

Apache Struts 2 RCE S2-045 - CVE-2017-5638

Apache Struts 2 REST plugin XStream RCE S2-052 - CVE-2017-9805

Drupal 'Drupalgeddon2' Remote Code Execution - CVE-2018-7600

Last updated on June 06, 2022

Apache Struts OGNL expression RCE S2-057

Description

Recommendation

References

This issue is available in SmartScanner Professional