Description

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.

Remediation

References

http://struts.apache.org/docs/s2-033.html

http://www.securityfocus.com/bid/90960

http://www.securitytracker.com/id/1036017

http://www-01.ibm.com/support/docview.wss?uid=swg21987854

https://www.exploit-db.com/exploits/39919/

Related Vulnerabilities

CVE-2023-41037 Vulnerability in maven package org.webjars.npm:github-com-openpgpjs-openpgpjs

CVE-2023-33949 Vulnerability in maven package com.liferay.portal:release.portal.bom

CVE-2019-3799 Vulnerability in maven package org.springframework.cloud:spring-cloud-config-server

CVE-2016-8749 Vulnerability in maven package org.apache.camel:camel-jacksonxml

CVE-2022-43411 Vulnerability in maven package org.jenkins-ci.plugins:gitlab-plugin

Severity

Critical

Classification

CWE-20 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory