5
CVSSv2

CVE-2010-1870

Published: 17/08/2010 Updated: 20/10/2020
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
VMScore: 550
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Vulnerability Summary

The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 up to and including 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote malicious users to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache struts 2.0.8

apache struts 2.0.9

apache struts 2.0.3

apache struts 2.0.11.2

apache struts 2.0.11.1

apache struts 2.0.10

apache struts 2.0.5

apache struts 2.0.2

apache struts 2.1.5

apache struts 2.1.4

apache struts 2.0.1

apache struts 2.1.3

apache struts 2.0.12

apache struts 2.1.0

apache struts 2.0.0

apache struts 2.0.7

apache struts 2.0.4

apache struts 2.1.8.1

apache struts 2.1.2

apache struts 2.1.8

apache struts 2.0.14

apache struts 2.0.11

apache struts 2.1.6

apache struts 2.0.13

apache struts 2.1.1

apache struts 2.0.6

Vendor Advisories

Multiple Cisco products include an implementation of the Apache Struts 2 component that is affected by a remote command execution vulnerability identified by Apache with Common Vulnerabilities and Exposures ID CVE-2010-1870 The vulnerability is due to insufficient sanitization on user-supplied input in the XWorks component of the affected softwa ...

Exploits

Friday, July 9, 2010 CVE-2010-1870: Struts2/XWork remote command execution Update Tue Jul 13 2010: Added proof of concept Apache Struts team has announced uploaded but has not released, due to an unreasonably prolonged voting process, the 220 release of the Struts2 web framework which fixes vulnerability that I've reported to them on May 31st 20 ...
## # $Id: struts_code_execrb 13586 2011-08-19 05:59:32Z bannedit $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # Framework web site for more information on licensing and terms of use # metasploitcom/framework/ ## require 'msf/core' c ...

Mailing Lists

Document Title: =============== LISTSERV Maestro Remote Code Execution Vulnerability References (Source): ==================== wwwsecuriferacom/advisories/sec-2020-0001/ wwwlsoftcom/products/maestroasp Release Date: ============= 2020-10-20 Product & Service Introduction: =============================== ...
Struts2/XWork suffers from a remote command execution vulnerability ...

Metasploit Modules

Apache Struts Remote Command Execution

This module exploits a remote command execution vulnerability in Apache Struts versions < 2.2.0. This issue is caused by a failure to properly handle unicode characters in OGNL extensive expressions passed to the web server. By sending a specially crafted request to the Struts application it is possible to bypass the "#" restriction on ParameterInterceptors by using OGNL context variables. Bypassing this restriction allows for the execution of arbitrary Java code.

msf > use exploit/multi/http/struts_code_exec
      msf exploit(struts_code_exec) > show targets
            ...targets...
      msf exploit(struts_code_exec) > set TARGET <target-id>
      msf exploit(struts_code_exec) > show options
            ...show and set options...
      msf exploit(struts_code_exec) > exploit

Github Repositories

环境 Requires Java 18+ and Maven 3x+ 使用方法 1下载 git clone gitoschinanet/0d/Struts2_bugsgit 2查看远程分支 git branch -a 3切换到分支 git checkout 分支名 如git checkout S2-046 4打包 mvn clean package 5部署在Tomcat中 将\target中生成的Struts2-046war复制到Tomcat下的webapps目录中,然后开启Tomcat 访问12700

Vulmap是一款漏洞扫描工具,可对Web容器、Web服务器、Web中间件以及CMS等Web程序进行漏洞扫描,并且具备漏洞利用功能。 相关测试人员可以使用vulmap检测目标是否存在特定漏洞,并且可以使用漏洞利用功能验证漏洞是否真实存在。

Vulmap - Vulnerability scanning and verification tools 中文版本(Chinese Version) русский(Russian Version) Vulmap is a vulnerability scanning tool that can scan for vulnerabilities in Web containers, Web servers, Web middleware, and CMS and other Web programs, and has vulnerability exploitation functions Relevant testers can use vulmap to detect whether the target ha

Vulmap - Web vulnerability scanning and verification tools [Click here for the English Version] Vulmap 是一款 web 漏洞扫描和验证工具, 可对 webapps 进行漏洞扫描, 并且具备漏洞利用功能, 目前支持的 webapps 包括 activemq, flink, shiro, solr, struts2, tomcat, unomi, drupal, elasticsearch, fastjson, jenkins, nexus, weblogic, jboss, spring, th

Vulmap - Web vulnerability scanning and verification tools [Click here for the English Version] Vulmap 是一款 web 漏洞扫描和验证工具, 可对 webapps 进行漏洞扫描, 并且具备漏洞利用功能, 目前支持的 webapps 包括 activemq, flink, shiro, solr, struts2, tomcat, unomi, drupal, elasticsearch, fastjson, jenkins, nexus, weblogic, jboss, spring, th

Vulmap - Web vulnerability scanning and verification tools [Click here for the English Version] Vulmap 是一款 web 漏洞扫描和验证工具, 可对 webapps 进行漏洞扫描, 并且具备漏洞利用功能, 目前支持的 webapps 包括 activemq, flink, shiro, solr, struts2, tomcat, unomi, drupal, elasticsearch, fastjson, jenkins, nexus, weblogic, jboss, spring, th

Recent Articles

Apache patch: Cisco catches up with ANCIENT Struts2 vuln
The Register • Richard Chirgwin • 14 Jul 2014

No fix for Business Edition 3000, though

Cisco has issued a patch for a four-year-old Apache Struts2 vulnerability.
The original issue, CVE-2010-1870, was originally reported in July 2010. The vulnerability arises out of how Apache Struts2 handles commands passed to the Object-Graph Navigation Language. As the Apache notification states, “The vulnerability allows a malicious user to bypass the '#'-usage protection built into the ParametersInterceptor, thus being able to manipulate server side context objects.”
Cisco has...

Apache patch: Cisco catches up with ANCIENT Struts2 vuln
The Register • Richard Chirgwin • 14 Jul 2014

No fix for Business Edition 3000, though

Cisco has issued a patch for a four-year-old Apache Struts2 vulnerability.
The original issue, CVE-2010-1870, was originally reported in July 2010. The vulnerability arises out of how Apache Struts2 handles commands passed to the Object-Graph Navigation Language. As the Apache notification states, “The vulnerability allows a malicious user to bypass the '#'-usage protection built into the ParametersInterceptor, thus being able to manipulate server side context objects.”
Cisco has...