Published: 17/08/2010 Updated: 24/07/2014
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
VMScore: 550
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Vulnerability Summary

The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 up to and including, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote malicious users to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.

Vulnerability Trend

Vendor Advisories

Multiple Cisco products include an implementation of the Apache Struts 2 component that is affected by a remote command execution vulnerability identified by Apache with Common Vulnerabilities and Exposures ID CVE-2010-1870 The vulnerability is due to insufficient sanitization on user-supplied input in the XWorks component of the affected softwa ...


Friday, July 9, 2010 CVE-2010-1870: Struts2/XWork remote command execution Update Tue Jul 13 2010: Added proof of concept Apache Struts team has announced uploaded but has not released, due to an unreasonably prolonged voting process, the 220 release of the Struts2 web framework which fixes vulnerability that I've reported to them on May 31st 20 ...
## # $Id: struts_code_execrb 13586 2011-08-19 05:59:32Z bannedit $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # Framework web site for more information on licensing and terms of use # metasploitcom/framework/ ## require 'msf/core' c ...

Mailing Lists

Struts2/XWork suffers from a remote command execution vulnerability ...

Metasploit Modules

Apache Struts Remote Command Execution

This module exploits a remote command execution vulnerability in Apache Struts versions < 2.2.0. This issue is caused by a failure to properly handle unicode characters in OGNL extensive expressions passed to the web server. By sending a specially crafted request to the Struts application it is possible to bypass the "#" restriction on ParameterInterceptors by using OGNL context variables. Bypassing this restriction allows for the execution of arbitrary Java code.

msf > use exploit/multi/http/struts_code_exec
      msf exploit(struts_code_exec) > show targets
      msf exploit(struts_code_exec) > set TARGET <target-id>
      msf exploit(struts_code_exec) > show options
            ...show and set options...
      msf exploit(struts_code_exec) > exploit

Github Repositories

环境 Requires Java 18+ and Maven 3x+ 使用方法 1下载 git clone gitoschinanet/0d/Struts2_bugsgit 2查看远程分支 git branch -a 3切换到分支 git checkout 分支名 如git checkout S2-046 4打包 mvn clean package 5部署在Tomcat中 将\target中生成的Struts2-046war复制到Tomcat下的webapps目录中,然后开启Tomcat 访问12700

Recent Articles

Apache patch: Cisco catches up with ANCIENT Struts2 vuln
The Register • Richard Chirgwin • 14 Jul 2014

No fix for Business Edition 3000, though

Cisco has issued a patch for a four-year-old Apache Struts2 vulnerability.
The original issue, CVE-2010-1870, was originally reported in July 2010. The vulnerability arises out of how Apache Struts2 handles commands passed to the Object-Graph Navigation Language. As the Apache notification states, “The vulnerability allows a malicious user to bypass the '#'-usage protection built into the ParametersInterceptor, thus being able to manipulate server side context objects.”
Cisco has...