News
News & events
Warning! Remote Code Execution Vulnerability Struts2 S2-057
2018-08-22
Summary
Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set.

Impact of vulnerability
Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set.

Affected Software
Struts 2.3 - Struts 2.3.34, Struts 2.5 - Struts 2.5.16
The unsupported Struts versions may be also affected

Maximum security rating
Critical

CVE Identifier
CVE-2018-11776

Problem
It is possible to perform a RCE attack when namespace value isn't set for a result defined in underlying configurations and in same time, its upper action(s) configurations have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.

Solution
Upgrade to Apache Struts version 2.3.35 or 2.5.17.