Apache Roller OGNL injection

Description

Apache Roller is a full-featured, multi-user and group-blog server suitable for blog sites large and small. It runs as a Java web application that should be able to run on most any Java EE server and relational database.

Roller version 5 earlier than 5.0.2 and all of version 4 are vulnerable to a pre-authenticated OGNL injection that can result in remote code execution (RCE).

Remediation

Upgrade to the latest version of Apache Roller (the problem was fixed in version 5.0.2).

References
Severity
Classification