...
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Possible Remote Code Execution when using results with no |
Maximum security rating | Critical |
Recommendation | |
Affected Software | Struts 2.3 - Struts 2.3.34, Struts 2.5 - Struts 2.5.16 The unsupported Struts versions may be also affected |
Reporter | Man Yue Mo from the Semmle Security Research team |
CVE Identifier | CVE-2018-11776 |
...
Both 2.3.35 and 2.5.17 versions contain the security fixes only, nothing more. No backward incompatibility issues are expected.
Warning | |||||||
---|---|---|---|---|---|---|---|
We do get reports that in some cases backward compatibility issues can occur, it is related to usage of
We are working on a new release to fix that problem. |
Workaround
Note |
---|
This is a temporal weak workaround. Please upgrade to Apache Struts version 2.3.35 or 2.5.17 ASAP because they also contain critical overall proactive security improvements |
...