org.apache.struts:struts2-core@2.3.34 vulnerabilities

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via manipulation of file upload parameters that enable path traversal. Under certain conditions, uploading of a malicious file is possible, which may then be executed on the server.

Upgrade org.apache.struts:struts2-core to version 2.5.33, 6.3.0.2 or higher.

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Denial of Service when certain fields exceed the maxStringLength limit during multipart requests. An attacker can exploit this to leave uploaded files in the struts.multipart.saveDir even after the request has been denied resulting in excessive disk usage.

Upgrade org.apache.struts:struts2-core to version 2.5.32, 6.1.2.2, 6.3.0.1 or higher.

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper handling of getProperty() by the XWorkListPropertyAccessor class. Exploiting this vulnerability is possible if the developer has set CreateIfNull to true for the underlying Collection type field.

Upgrade org.apache.struts:struts2-core to version 2.5.31, 6.1.2.1 or higher.

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). The fix issued for CVE-2020-17530 was incomplete. Some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

Upgrade org.apache.struts:struts2-core to version 2.5.30 or higher.

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). The vulnerability exists due to improper input validation when processing certain tag's attributes. The application performs double evaluation of the code if a developer applied forced OGNL evaluation by using the %{...} syntax. A remote attacker can send a specially crafted request to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Upgrade org.apache.struts:struts2-core to version 2.5.26 or higher.

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type. A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.

Upgrade org.apache.struts:struts2-core to version 2.5 or higher.

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Denial of Service (DoS). When a file upload is performed to an Action that exposes the file with a getter, an attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container's temp directory to read-only, such that subsequent upload actions will fail.

Upgrade org.apache.struts:struts2-core to version 2.5.22 or higher.

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Upgrade org.apache.struts:struts2-core to version 2.5.22 or higher.

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Remote Code Execution. When the namespace value is not set for a result defined in underlying xml configurations, and in same time, its upper action(s) configurations have no or wildcard namespace, an attacker may be able to conduct a remote code execution attack. They could also use the opportunity when using a url tag which does not have a value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.

Upgrade org.apache.struts:struts2-core to version 2.3.35, 2.5.17 or higher.