Remote Code Execution Flaw in Apache Struts 2.3.20-2.3.28

A vulnerability in Apache Struts 2.3.20-2.3.28* could allow an unauthenticated, remote attacker to execute arbitrary code on a target server.

A vulnerability in Apache Struts 2.3.20-2.3.28* could allow an unauthenticated, remote attacker
to execute arbitrary code on a target server.

 

In order to be vulnerable Dynamic Method Invocation must be enabled for the target application. The flaw was disclosed on April 22 2016 19:38 GMT. AppCheck was updated on the April 23rd 2016 with a plugin to detect the flaw.
The vulnerability is due to insufficient validation of user-supplied input by the affected software. An unauthenticated, remote attacker could exploit this vulnerability by submitting a malicious expression to a targeted server. If successful, the attacker could execute arbitrary code on the server.

See the following resource for further information;

https://struts.apache.org/docs/s2-032.html

 

* Versions 2.3.20.3 and 2.3.24.3 are not affected

Get started with Appcheck

No software to download or install.

Contact us or call us 0113 887 8380

About Appcheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)

No software to download or install.
Contact us or call us 0113 887 8380

Start your free trial

Your details
IP Addresses
URLs

Get in touch