The Apache Struts Security team would like to announce that forced
OGNL evaluation, when evaluated on raw user input in tag attributes,
may lead to remote code execution.
Affected products
Apache Struts 2.0.0 - 2.5.25
Problem
Some of the tag's attributes could perform a double evaluation if a
developer applied forced OGNL evaluation by using the %{...} syntax.
Using forced OGNL evaluation on untrusted user input can lead to a
Remote Code Execution and security degradation.
Solution
Avoid using forced OGNL evaluation on untrusted user input, and/or
upgrade to Struts 2.5.26 which checks if expression evaluation won't
lead to the double evaluation.
Please read our Security Bulletin for more details:
https://cwiki.apache.org/confluence/display/WW/S2-061
This vulnerability was identified by:
- Alvaro Munoz - pwntester at github dot com
- Masato Anzai of Aeye Security Lab, inc.
All developers are strongly advised to perform this action.
Kind regards
--
Ćukasz
+ 48 606 323 122 http://www.lenart.org.pl/
