Homepage
About Snyk

Arbitrary Command Execution Affecting com.opensymphony:xwork-core package, versions [2.1.4,2.1.6)

0.0
medium

Snyk CVSS

    Attack Complexity Low

    Threat Intelligence

    Exploit Maturity Mature
    EPSS 8.48% (95th percentile)
Expand this section
NVD
5.3 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-COMOPENSYMPHONY-30322
  • published 9 Jun 2010
  • disclosed 9 Jun 2010
  • credit Meder Kydyraliev
Report a new vulnerability Found a mistake?

Introduced: 9 Jun 2010

CVE-2010-1870 Open this link in a new tab
CWE-94 Open this link in a new tab

Overview

com.opensymphony:xwork-core is an command-pattern framework that is used to power WebWork as well as other applications. XWork provides an Inversion of Control container, a powerful expression language, data type conversion, validation, and pluggable configuration.

The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.