Description

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.

Remediation

References

http://struts.apache.org/docs/s2-033.html

http://www.securityfocus.com/bid/90960

http://www.securitytracker.com/id/1036017

http://www-01.ibm.com/support/docview.wss?uid=swg21987854

https://www.exploit-db.com/exploits/39919/

Related Vulnerabilities

CVE-2018-1000012 Vulnerability in maven package org.jvnet.hudson.plugins:warnings

CVE-2023-25572 Vulnerability in maven package org.webjars.npm:ra-ui-materialui

CVE-2018-1000175 Vulnerability in maven package org.jenkins-ci.plugins:htmlpublisher

CVE-2023-33187 Vulnerability in npm package highlight.run

CVE-2019-8331 Vulnerability in maven package org.webjars.bowergithub.twbs:bootstrap

Severity

Critical

Classification

CWE-20 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory