...
Excerpt |
---|
Possible Remote Code Execution when using results with no |
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Possible Remote Code Execution when using results with no |
Maximum security rating | Critical |
Recommendation | |
Affected Software | Struts 2.3 - Struts 2.3.34, Struts 2.5 - Struts 2.5.16 The unsupported Struts versions may be also affected |
Reporter | Man Yue Mo from the Semmle Security Research team |
CVE Identifier | CVE-2018-11776 |
Problem
It is possible to perform a RCE attack when namespace
value isn't set for a result defined in underlying xml configurations and in same time, its upper action(s) configurations have no or wildcard namespace
. Same possibility when using url
tag which doesn’t have value
and action
set and in same time, its upper action(s) configurations have no or wildcard namespace
.
...
Verify that you have set (and always not forgot to set) namespace
(if is applicable) for your all defined results in underlying xml configurations. Also verify that you have set (and always not forgot to set) value
or action
for all url
tags in your JSPs. Both are needed only when their upper action(s) configurations have no or wildcard namespace
.