...
Excerpt |
---|
Possible path traversal in the Convention plugin |
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Possible path traversal in the Convention plugin in Struts 2.3.20 - 2.3.30 |
Maximum security rating |
Important | |
Recommendation | Upgrade to Struts 2.3.31 |
---|
or Struts 2.5.5 | |
Affected Software | Struts 2.3. |
---|
1 - 2.3.30 Struts 2. |
5 - 2.5.2 | |
Reporter | Takeshi Terada of Mitsui Bussan Secure Directions, Inc. |
---|---|
CVE Identifier | CVE-2016-6795 |
Problem
It is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side.
...
Upgrade to Apache Struts version 2.3.31 or 2.5.5 when you are using Struts 2.3.20 - 2.3.30 with the Convention plugin.
...
There is no known workaround for this vulnerability, please upgrade to the mentioned Struts versions.