The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Struts
APPApache< 2.2.3.1
CISA KEV — detailsi
- Vendori
- Apache ↗
- Producti
- Struts 2
- Added to KEVi
- January 21, 2022
- Remediation deadline (US Federal)i
- July 21, 2022(overdue)
Apply updates per vendor instructions.
The ExceptionDelegator component in Apache Struts 2 before 2.2.3.1 contains an improper input validation vulnerability that allows for remote code execution.
Related vulnerabilities
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution....
The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field v...
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect ex...
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a paramet...
Apache Struts: RCE przez podatność path traversal przy upload plików