Description

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.

Remediation

References

http://struts.apache.org/docs/s2-033.html

http://www.securityfocus.com/bid/90960

http://www.securitytracker.com/id/1036017

http://www-01.ibm.com/support/docview.wss?uid=swg21987854

https://www.exploit-db.com/exploits/39919/

Related Vulnerabilities

CVE-2023-38493 Vulnerability in maven package com.linecorp.armeria:armeria

CVE-2021-21165 Vulnerability in maven package org.webjars.npm:electron

CVE-2017-10355 Vulnerability in maven package xerces:xercesimpl

CVE-2022-23710 Vulnerability in maven package org.elasticsearch:elasticsearch

CVE-2018-7408 Vulnerability in maven package org.webjars:npm

Severity

Critical

Classification

CWE-20 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory