Summary
In Struts 2 before 2.3.15.2, under certain conditions this can be used to bypass security constraints.
Who should read this |
All Struts 2 developers and users |
---|---|
Impact of vulnerability |
Permissions, Privileges, and Access Controls |
Maximum security rating |
Important |
Recommendation |
Developers should immediately upgrade to Struts 2.3.15.2 |
Affected Software |
Struts 2.0.0 - Struts 2.3.15.1 |
Reporter |
Zhangyan (L), Huawei PSIRT |
CVE Identifier |
Problem
In Struts 2 before 2.3.15.2, under certain conditions this can be used to bypass security constraints. More details will available later on when the patch will be widely adopted.
Proof of concept
TBU
Solution
In Struts 2.3.15.2 the action mapping mechanism was changed to avoid circumventing security constraints.
Another option is to write your own ActionMapper and completely drop support for "action:" prefix if support for multiple submit buttons isn't used. Consult manual how to write your own ActionMapper.
Backward Compatibility
After upgrading to Struts >= 2.3.15.2, applications using the "action:" should still work as expected.
It is strongly recommended to upgrade to Struts 2.3.15.2, which contains the corrected Struts2-Core library.