Summary
XSLTResult
can be used to parse arbitrary stylesheetWho should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Possible Remote Code Execution |
Maximum security rating | Medium |
Recommendation | Always validate type and content of uploaded files, do not expose them directly in your web application. Alternatively upgrade to Struts 2.3.20.2, Struts 2.3.24.2 or Struts 2.3.28.1. |
Affected Software | Struts 2.0.0 - Struts Struts 2.3.28 (except 2.3.20.2 and 2.3.24.2) |
Reporter | Genxor Sue - genxors at gmail dot com |
CVE Identifier | CVE-2016-3082 |
Problem
XSLTResult
can accept location of a stylesheet passed a request parameter. In some circumstances this can be used to remotely execute arbitrary code.
Solution
Always validate type and content of uploaded files. We encourage you to upgrade to one of the versions of the Apache Struts presented above.
Backward compatibility
No issues expected when upgrading to Struts 2.3.20.2, 2.3.24.2 and 2.3.28.1
Workaround
Implement your own XSLTResult
based on code of the recommended versions.