Apache Struts OGNL expression RCE S2-057

Impact: High


A Remote Code Execution (RCE) attack is possible in Apache Struts when alwaysSelectFullNamespace is set to true (either by the user or by a plugin like Convention Plugin), and certain conditions are met regarding the configuration of namespaces and packages. This vulnerability allows attackers to execute arbitrary code on the server.


To mitigate this vulnerability, it is recommended to upgrade to Apache Struts version 2.3.35 or 2.5.17, or newer versions.


Last updated on May 13, 2024

This issue is available in SmartScanner Professional

See Pricing