Description
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
Remediation
References
http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html
http://secunia.com/advisories/47393
http://struts.apache.org/2.x/docs/s2-008.html
http://struts.apache.org/2.x/docs/version-notes-2311.html
http://www.exploit-db.com/exploits/18329
https://issues.apache.org/jira/browse/WW-3668
https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
Related Vulnerabilities
CVE-2023-31058 Vulnerability in maven package org.apache.inlong:manager-common
CVE-2023-26048 Vulnerability in maven package org.eclipse.jetty:jetty-server
CVE-2019-7722 Vulnerability in maven package net.sourceforge.pmd:pmd-core
CVE-2023-49397 Vulnerability in maven package com.jfinal:jfinal
CVE-2018-16493 Vulnerability in npm package static-resource-server