Versions Compared

Old Version 3

changes.mady.by.user Yasser Zamani

Saved on

compared with

New Version 4

changes.mady.by.user Yasser Zamani

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: delete "xml" term to cover convention conf

...

Excerpt

Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set.


Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set.

Maximum security rating

Critical

Recommendation

Upgrade to Struts 2.3.35 or Struts 2.5.17

Affected Software

Struts 2.3 - Struts 2.3.34, Struts 2.5 - Struts 2.5.16

The unsupported Struts versions may be also affected

Reporter

Man Yue Mo from the Semmle Security Research team

CVE Identifier

CVE-2018-11776

Problem

It is possible to perform a RCE attack when namespace value isn't set for a result defined in underlying xml configurations and in same time, its upper action(s) configurations have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.

...

Verify that you have set (and always not forgot to set) namespace (if is applicable) for your all defined results in underlying xml configurations. Also verify that you have set (and always not forgot to set) value or action for all url tags in your JSPs. Both are needed only when their upper action(s) configurations have no or wildcard namespace.