Apache Struts OGNL expression RCE S2-057
Impact: High
Description
It is possible to perform a RCE attack when alwaysSelectFullNamespace
is true
(either by user or a plugin like Convention Plugin) and then: namespace
value isn’t set for a result defined in underlying configurations and in same time, its upper package
configuration have no or wildcard namespace
and same possibility when using url
tag which doesn’t have
value and action
set and in same time, its upper package
configuration have no or wildcard namespace
.
Recommendation
Upgrade to Apache Struts version 2.3.35 or 2.5.17 or newer version.
References
- S2-057 - Apache Struts 2 Wiki
- Apache Struts
- CVE-2018-11776
- CWE-77
- OWASP 2017-A1
- OWASP 2021-A3
- CWE-20
- OWASP 2017-A9
- OWASP 2021-A6
👉 You might also like:
Apache Struts 2 Forced double OGNL evaluation S2-059 - CVE-2019-0230
Apache Struts 2 RCE S2-045 - CVE-2017-5638
Apache Struts 2 REST plugin XStream RCE S2-052 - CVE-2017-9805
Drupal 'Drupalgeddon2' Remote Code Execution - CVE-2018-7600
Last updated on June 06, 2022