Apache Struts undefined namespace vulnerability

Added: 09/05/2018
BID: 105125

Background

Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture.

Problem

A remote attacker can execute arbitrary commands on the server when a Struts action has an undefined namespace.

Resolution

Upgrade to Struts 2.3.35 or 2.5.17 or higher.

References

https://cwiki.apache.org/confluence/display/WW/S2-057
https://github.com/jas502n/St2-057

Back to exploit index