Security Bulletins - Apache Struts 2 Wiki - Apache Software Foundation
DUE TO SPAM, SIGN-UP IS DISABLED. Goto
Selfserve wiki signup
and request an account.
Apache Struts 2 Wiki
Child pages
Security Bulletins
S2-001
S2-002
S2-003
S2-004
S2-005
S2-006
S2-007
S2-008
S2-009
S2-010
S2-011
S2-012
S2-013
S2-014
S2-015
S2-016
S2-017
S2-018
S2-019
S2-020
S2-021
S2-022
S2-023
S2-024
S2-025
S2-026
S2-027
S2-028
S2-029
S2-030
S2-031
S2-032
S2-033
S2-034
S2-035
S2-036
S2-037
S2-038
S2-039
S2-040
S2-041
S2-042
S2-043
S2-044
S2-045
S2-046
S2-047
S2-048
S2-049
S2-050
S2-051
S2-052
S2-053
S2-054
S2-055
S2-056
S2-057
S2-058
S2-059
S2-060
S2-061
S2-062
S2-063
S2-064
S2-065
S2-066
S2-067
S2-068
S2-069
66 more child pages
Browse pages
tachments (0)
Page History
Resolved comments
Page Information
View in Hierarchy
View Source
Export to PDF
Export to Word
Copy Page Tree
Jira links
Security Bulletins
Created by
Donald J. Brown
, last modified by
Lukasz Lenart
on
Feb 04, 2021
Security impact levels
The Apache Struts Security Team rates the impact of each security flaw that affects Struts. We've chosen a rating scale quite similar to those used by other Apache projects in order to be consistent. Basically the goal of the rating system is to answer the question
How worried should I be about this vulnerability?
Critical
A vulnerability rated with a
Critical
impact is one which could potentially be exploited by a remote attacker to get Struts to execute an arbitrary code. These are the sorts of vulnerabilities that could be exploited automatically by worms/hackers regardless if developers paid attention to keep their code safe and followed advices from
the Security Guide
Important
A vulnerability rated as
Important
impact is one which could result in the compromise of data or availability of the application. For Struts this includes issues that allow an easy remote code execution because developers didn't pay attention to treat users' inputs as unsecure and used it in the application logic.
Moderate
A vulnerability is likely to be rated as
Moderate
if there is significant mitigation to make the issue less of an impact. This might be because the flaw does not affect likely configurations, or it is a configuration that isn't widely used, or where a remote user must be authenticated in order to exploit the issue.
Low
All other security flaws are classed as a
Low
impact. This rating is used for issues that are believed to be extremely hard to exploit, or where an exploit gives minimal consequences.
Published bulletins
The following security bulletins are available:
S2-001
Remote code exploit on form validation error
S2-002
Cross site scripting (XSS) vulnerability on
S2-003
XWork ParameterInterceptors bypass allows OGNL statement execution
S2-004
Directory traversal vulnerability while serving static content
S2-005
XWork ParameterInterceptors bypass allows remote command execution
S2-006
Multiple Cross-Site Scripting (XSS) in XWork generated error pages
S2-007
User input is evaluated as an OGNL expression when there's a conversion error
S2-008
Multiple critical vulnerabilities in Struts2
S2-009
ParameterInterceptor vulnerability allows remote command execution
S2-010
When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes
S2-011
Long request parameter names might significantly promote the effectiveness of DOS attacks
S2-012
Showcase app vulnerability allows remote command execution
S2-013
A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution
S2-014
A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks
S2-015
A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.
S2-016
A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution
S2-017
A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects
S2-018
Broken Access Control Vulnerability in Apache Struts2
S2-019
Dynamic Method Invocation disabled by default
S2-020
Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)
S2-021
Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation
S2-022
Extends excluded params in CookieInterceptor to avoid manipulation of Struts' internals
S2-023
Generated value of token can be predictable
S2-024
Wrong excludeParams overrides those defined in DefaultExcludedPatternsChecker
S2-025
Cross-Site Scripting Vulnerability in Debug Mode and in exposed JSP files
S2-026
Special top object can be used to access Struts' internals
S2-027
TextParseUtil.translateVariables does not filter malicious OGNL expressions
S2-028
Use of a JRE with broken URLDecoder implementation may lead to XSS vulnerability in Struts 2 based web applications.
S2-029
Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
S2-030
Possible XSS vulnerability in I18NInterceptor
S2-031
XSLTResult can be used to parse arbitrary stylesheet
S2-032
Remote Code Execution can be performed via method: prefix when Dynamic Method Invocation is enabled.
S2-033
Remote Code Execution can be performed when using REST Plugin with ! operator when Dynamic Method Invocation is enabled.
S2-034
OGNL cache poisoning can lead to DoS vulnerability
S2-035
Action name clean up is error prone
S2-036
Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution (similar to S2-029)
S2-037
Remote Code Execution can be performed when using REST Plugin.
S2-038
It is possible to bypass token validation and perform a CSRF attack
S2-039
Getter as action method leads to security bypass
S2-040
Input validation bypass using existing default action method.
S2-041
Possible DoS attack when using URLValidator
S2-042
Possible path traversal in the Convention plugin
S2-043
Using the Config Browser plugin in production
S2-044
Possible DoS attack when using URLValidator
S2-045
Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser.
S2-046
Possible RCE when performing file upload based on Jakarta Multipart parser (similar to S2-045)
S2-047
Possible DoS attack when using URLValidator (similar to S2-044)
S2-048
Possible RCE in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series
S2-049
A DoS attack is available for Spring secured actions
S2-050
A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047)
S2-051
A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin
S2-052
Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads
S2-053
A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals
S2-054
A crafted JSON request can be used to perform a DoS attack when using the Struts REST plugin
S2-055
A RCE vulnerability in the Jackson JSON library
S2-056
A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin
S2-057
Possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn’t have value and action set and in same time, its upper package have no or wildcard namespace.
S2-058
Previous Security Bulletins contained incorrect affected release version ranges.
S2-059
Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
S2-060
Access permission override causing a Denial of Service when performing a file upload
S2-061
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution - similar to S2-059.
S2-062
Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to remote code execution - same as S2-061.
S2-063
DoS via OOM owing to not properly checking of list bounds.
S2-064
DoS via OOM owing to no sanity limit on normal form fields in multipart forms.
S2-065
Excessive disk usage during file upload
S2-066
File upload logic is flawed, and allows an attacker to enable paths with traversals
S2-067
File upload logic is flawed, and allows an attacker to enable paths with traversals - similar problem as reported in S2-066
S2-068
File leak in multipart request processing causes disk exhaustion (DoS)
S2-069
XXE vulnerability in XWork component
No labels
Overview
Content Tools
Atlassian Confluence Open Source Project License
granted to Apache Software Foundation.
Evaluate Confluence today
Atlassian Confluence
8.5.31
Printed by Atlassian Confluence 8.5.31
Report a bug
Atlassian News
Atlassian
{"serverDuration": 148, "requestCorrelationId": "1cff28f7b82b7797"}
US