Versions Compared

Old Version 8

changes.mady.by.user Yasser Zamani

Saved on

compared with

New Version Current

changes.mady.by.user Lukasz Lenart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn’t have value and action set and in same time, its upper package have no or wildcard namespace.

Maximum security rating

Critical

Recommendation

Upgrade to Struts 2.3.35 or Struts 2.5.17

Affected Software

Struts 2.3 0.4 - Struts 2.3.34, Struts 2.5.0 - Struts 2.5.16

Reporter

Man Yue Mo from the Semmle Security Research team

CVE Identifier

CVE-2018-11776

...

Verify that you have set (and always not forgot to set) namespace for your all defined packages. Or , verify that you have set (and always not forgot to set) namespace for your all defined results (if it is applicable) and verify that you have set (and always not forgot to set) value or action for all url tags in your JSPs, when their upper package have no or wildcard namespace.

...