Summary
This host is running Struts and is prone to remote command execution vulnerability.
Impact
Successful exploitation will allow attackers to manipulate server-side context objects with the privileges of the user running the application.
Impact Level: Application.
Solution
Upgrade to Struts version 2.2 or later
For updates refer to http://struts.apache.org/download.cgi
Insight
The flaw is due to an error in 'OGNL' extensive expression evaluation capability in XWork in Struts, uses as permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the '#' protection mechanism in ParameterInterceptors via various varibles.
Affected
Struts version 2.0.0 through 2.1.8.1
References
Severity
Classification
-
CVE CVE-2010-1870 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:N/I:P/A:N
Related Vulnerabilities
- Andromeda Streaming MP3 Server Cross Site Scripting Vulnerability
- Apache Solr Directory Traversal Vulnerability Jan-14
- Aardvark Topsites <= 4.2.2 Remote File Inclusion Vulnerability
- Adobe Presenter viewer.swf and loadflash.js XSS Vulnerability
- Apache Struts Showcase Multiple Persistence Cross-Site Scripting Vulnerabilities