Do your applications use this vulnerable package?
- Snyk ID SNYK-JAVA-ORGAPACHESTRUTSXWORK-30787
- published 19 Oct 2015
- disclosed 19 Oct 2015
- credit Meder Kydyraliev
Affected versions of the package are vulnerable to Arbitrary Command Execution. A malicious user may bypass all the protections (regex pattern, deny method invocation) built into the ParametersInterceptor, thus being able to inject a malicious expression in any exposed string variable for further evaluation.