New RCE Flaw in Apache Struts Discovered

PUBLISHED:
23 August 2018

New RCE Flaw in Apache Struts Discovered

Security researchers have discovered a critical remote code execution vulnerability in the popular Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers.

By exploiting this vulnerability, it is possible to perform an RCE attack when namespace value isn’t set for a result defined in underlying configurations and in the same time, its upper action(s) configurations have no or wildcard namespace. The same possibility when using url tag which doesn’t have value and action set and in the same time, its upper action(s) configurations have no or wildcard namespace.

Affected Versions

  • Struts 2.3 – Struts 2.3.34
  • Struts 2.5 – Struts 2.5.16
  • The unsupported Struts versions may be also affected.

Recommended Course of Action

Upgrade to Struts 2.3.35 or Struts 2.5.17

More Information

https://cwiki.apache.org/confluence/display/WW/S2-057

 

13 July 2023 [NO.TCSA : 20230713-1-1-P]

Fortinet Patches Critical Remote Code Execution Vulnerability in FortiOS/FortiProxy

READ MORE READ MORE
23 June 2023 [NO.TCSA : 20230623-1-1-P]

WSO2 Releases Patches for Vulnerabilities in API Manager, Identity Server, and Other Products

READ MORE READ MORE
12 June 2023 [NO.TCSA : 20230612-1-1-P]

Fortinet Releases Urgent Patches for Critical Pre-Authentication RCE Vulnerability in Fortigate SSL-VPN Devices

READ MORE READ MORE
Read More BACK TO THREAT BULLETIN