Description

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.

Remediation

References

http://struts.apache.org/docs/s2-033.html

http://www.securityfocus.com/bid/90960

http://www.securitytracker.com/id/1036017

http://www-01.ibm.com/support/docview.wss?uid=swg21987854

https://www.exploit-db.com/exploits/39919/

Related Vulnerabilities

CVE-2018-1000056 Vulnerability in maven package org.jenkins-ci.plugins:junit

CVE-2022-25598 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler

CVE-2018-1000665 Vulnerability in maven package org.webjars.bower:dojo

CVE-2019-3773 Vulnerability in maven package org.springframework.ws:spring-xml

CVE-2014-2858 Vulnerability in maven package org.grails:grails-resources

Severity

Critical

Classification

CWE-20 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory