Arbitrary Code Execution Affecting com.opensymphony:xwork-core package, versions [2.1.4,2.1.6)
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
Exploit Maturity
Mature
EPSS
29.32% (97th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-COMOPENSYMPHONY-30325
- published 20 Dec 2011
- disclosed 20 Dec 2011
- credit Johannes Dahse, Bruce Phillips
Overview
com.opensymphony:xwork-core
is an command-pattern framework that is used to power WebWork as well as other applications. XWork provides an Inversion of Control container, a powerful expression language, data type conversion, validation, and pluggable configuration.
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.