Vulnerabilities/

Apache Struts OGNL expression RCE S2-057

Severity:
High

Description

A Remote Code Execution (RCE) attack is possible in Apache Struts when alwaysSelectFullNamespace is set to true (either by the user or by a plugin like Convention Plugin), and certain conditions are met regarding the configuration of namespaces and packages. This vulnerability allows attackers to execute arbitrary code on the server.

Recommendation

To mitigate this vulnerability, it is recommended to upgrade to Apache Struts version 2.3.35 or 2.5.17, or newer versions.

References

Related Issues

Tags:
RCE
Struts
Injection
Anything's wrong? Let us know Last updated on May 13, 2024

This issue is available in SmartScanner Professional

See Pricing