Remote Code Execution Flaw in Apache Struts 2.3.20-2.3.28

A vulnerability in Apache Struts 2.3.20-2.3.28* could allow an unauthenticated, remote attacker
to execute arbitrary code on a target server.

 

In order to be vulnerable Dynamic Method Invocation must be enabled for the target application. The flaw was disclosed on April 22 2016 19:38 GMT. AppCheck was updated on the April 23rd 2016 with a plugin to detect the flaw.
The vulnerability is due to insufficient validation of user-supplied input by the affected software. An unauthenticated, remote attacker could exploit this vulnerability by submitting a malicious expression to a targeted server. If successful, the attacker could execute arbitrary code on the server.

See the following resource for further information;

https://struts.apache.org/docs/s2-032.html

 

* Versions 2.3.20.3 and 2.3.24.3 are not affected

Get started with Appcheck

No software to download or install.
Contact us or call us 0113 887 8380

Start your free trial