Versions Compared

Old Version 8

changes.mady.by.user Yasser Zamani

Saved on

compared with

New Version 9

changes.mady.by.user Lukasz Lenart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn’t have value and action set and in same time, its upper package have no or wildcard namespace.

Maximum security rating

Critical

Recommendation

Upgrade to Struts 2.3.35 or Struts 2.5.17

Affected Software

Struts 2.3 0.4 - Struts 2.3.34, Struts 2.5.0 - Struts 2.5.16

Reporter

Man Yue Mo from the Semmle Security Research team

CVE Identifier

CVE-2018-11776

...