Remote Command Execution Affecting org.apache.struts:struts2-core Open this link in a new tab package, versions [2,2.1.8.1)
Exploit Maturity
Proof of concept
Attack Complexity
Low
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-JAVA-ORGAPACHESTRUTS-30039
-
published
25 Jul 2010
-
disclosed
25 Jul 2010
-
credit
Meder Kydyraliev
Introduced: 25 Jul 2010
CVE-2010-1870 Open this link in a new tabOverview
org.apache.struts:struts2-core
The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.