Arbitrary Command Execution Affecting com.opensymphony:xwork-core package, versions [2.1.4,2.1.6)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Mature
EPSS
25.21% (97th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Command Execution vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-COMOPENSYMPHONY-30322
  • published9 Jun 2010
  • disclosed9 Jun 2010
  • creditMeder Kydyraliev

Introduced: 9 Jun 2010

CVE-2010-1870  (opens in a new tab)
CWE-94  (opens in a new tab)

Overview

com.opensymphony:xwork-core is an command-pattern framework that is used to power WebWork as well as other applications. XWork provides an Inversion of Control container, a powerful expression language, data type conversion, validation, and pluggable configuration.

The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.

CVSS Scores

version 3.1