Description

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.

Remediation

References

http://www.securitytracker.com/id/1036017

http://struts.apache.org/docs/s2-033.html

http://www-01.ibm.com/support/docview.wss?uid=swg21987854

http://www.securityfocus.com/bid/90960

https://www.exploit-db.com/exploits/39919/

Related Vulnerabilities

CVE-2023-29506 Vulnerability in maven package org.xwiki.platform:xwiki-platform-security-authentication-default

CVE-2014-8152 Vulnerability in maven package org.apache.santuario:xmlsec

CVE-2020-2302 Vulnerability in maven package org.jenkins-ci.plugins:active-directory

CVE-2022-34189 Vulnerability in maven package org.jenkins-ci.plugins:image-tag-parameter

CVE-2020-2193 Vulnerability in maven package io.jenkins.plugins:echarts-api

Severity

Critical

Classification

CWE-20 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory