Arbitrary Code Execution Affecting org.apache.struts:struts2-struts1-plugin package, versions [2.3,)


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Mature
EPSS
97.45% (100th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Execution vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGAPACHESTRUTS-31457
  • published22 Aug 2017
  • disclosed6 Jul 2017
  • creditUnknown

Introduced: 6 Jul 2017

CVE-2017-9791  (opens in a new tab)
CWE-94  (opens in a new tab)
First added by Snyk

How to fix?

There is no fix version for org.apache.struts:struts2-struts1-plugin.

The vendor recommends the following:

Always use resource keys instead of passing a raw message to the ActionMessage as shown below, never pass a raw value directly

messages.add("msg", new ActionMessage("struts1.gangsterAdded", gform.getName()));

and never like this

messages.add("msg", new ActionMessage("Gangster " + gform.getName() + " was added"));

Overview

org.apache.struts:struts2-struts1-plugin is a Struts1 plugin for Struts2.

Affected versions of the package are vulnerable to Arbitrary Code Execution. When using untrusted input as a part of the error message in the ActionMessage class, a malicious user can pass in a raw message to the ActionMessage, which will then run on the server.

CVSS Scores

version 3.1