Remote Code Execution Flaw in Apache Struts 2.3.20-2.3.28
Security Alerts / Posted April 23, 2016
A vulnerability in Apache Struts 2.3.20-2.3.28* could allow an unauthenticated, remote attacker
to execute arbitrary code on a target server.
In order to be vulnerable Dynamic Method Invocation must be enabled for the target application. The flaw was disclosed on April 22 2016 19:38 GMT. AppCheck was updated on the April 23rd 2016 with a plugin to detect the flaw.
The vulnerability is due to insufficient validation of user-supplied input by the affected software. An unauthenticated, remote attacker could exploit this vulnerability by submitting a malicious expression to a targeted server. If successful, the attacker could execute arbitrary code on the server.
See the following resource for further information;
* Versions 220.127.116.11 and 18.104.22.168 are not affected
Get started with Appcheck
No software to download or install.
Contact us or call us 0113 887 8380