The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 up to and including 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote malicious users to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache struts 2.0.0 |
||
apache struts 2.0.1 |
||
apache struts 2.0.2 |
||
apache struts 2.0.3 |
||
apache struts 2.0.4 |
||
apache struts 2.0.5 |
||
apache struts 2.0.6 |
||
apache struts 2.0.7 |
||
apache struts 2.0.8 |
||
apache struts 2.0.9 |
||
apache struts 2.0.10 |
||
apache struts 2.0.11 |
||
apache struts 2.0.11.1 |
||
apache struts 2.0.11.2 |
||
apache struts 2.0.12 |
||
apache struts 2.0.13 |
||
apache struts 2.0.14 |
||
apache struts 2.1.0 |
||
apache struts 2.1.1 |
||
apache struts 2.1.2 |
||
apache struts 2.1.3 |
||
apache struts 2.1.4 |
||
apache struts 2.1.5 |
||
apache struts 2.1.6 |
||
apache struts 2.1.8 |
||
apache struts 2.1.8.1 |
No fix for Business Edition 3000, though
Cisco has issued a patch for a four-year-old Apache Struts2 vulnerability. The original issue, CVE-2010-1870, was originally reported in July 2010. The vulnerability arises out of how Apache Struts2 handles commands passed to the Object-Graph Navigation Language. As the Apache notification states, “The vulnerability allows a malicious user to bypass the '#'-usage protection built into the ParametersInterceptor, thus being able to manipulate server side context objects.” Cisco has now confirm...