Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2018-11776 from the MITRE CVE dictionary dictionary and NIST NVD.
Red Hat does not ship struts2 in any product.
The source distribution for Red Hat JBoss Fuse Service Works 6 includes struts2 jars; however, they are not used during builds of the product, nor are they included in the distribution, so they are never deployed or used on systems where Fuse Service Works 6 is installed.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 9.8 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | High |
| Platform | Package | State |
|---|---|---|
| Red Hat JBoss Fuse Service Works 6 | struts2-core | Not affected |
Vulmon