Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00cWdqLTltdmctMzkyOc4AAWri
Special top object can be used to access Struts' internals
ValueStack defines special top object which represents root of execution context. It can be used to manipulate Struts' internals or can be used to affect container's settings. Applying better regex which includes pattern to exclude request parameters trying to use top object. This issue was patched in Struts 2.3.24.1.
Permalink: https://github.com/advisories/GHSA-4qgj-9mvg-3929JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00cWdqLTltdmctMzkyOc4AAWri
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: 8 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-4qgj-9mvg-3929, CVE-2015-5209
References:
- https://nvd.nist.gov/vuln/detail/CVE-2015-5209
- https://security.netapp.com/advisory/ntap-20180629-0002/
- https://struts.apache.org/docs/s2-026.html
- https://github.com/advisories/GHSA-4qgj-9mvg-3929
Affected Packages
maven:org.apache.struts:struts2-core
Versions: < 2.3.24.1Fixed in: 2.3.24.1