Summary
This host is running Struts and is prone to remote command execution vulnerability.
Impact
Successful exploitation will allow attackers to manipulate server-side context objects with the privileges of the user running the application.
Impact Level: Application.
Solution
Upgrade to Struts version 2.2 or later
For updates refer to http://struts.apache.org/download.cgi
Insight
The flaw is due to an error in 'OGNL' extensive expression evaluation capability in XWork in Struts, uses as permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the '#' protection mechanism in ParameterInterceptors via various varibles.
Affected
Struts version 2.0.0 through 2.1.8.1
References
Severity
Classification
-
CVE CVE-2010-1870 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:N/I:P/A:N
Related Vulnerabilities
- 3Com NBX VoIP NetSet Detection
- Adobe ColdFusion Multiple Path Disclosure Vulnerabilities
- Abtp Portal Project 'ABTPV_BLOQUE_CENT' Parameter Local and Remote File Include Vulnerabilities
- Adobe ColdFusion Unspecified Information Disclosure Vulnerability
- 12Planet Chat Server one2planet.infolet.InfoServlet XSS